[issue42970] File path with blank causes open error in 3.8, not in 3.7

[Ronald Oussoren]

Ronald Oussoren  added the comment:

What kind of error do you get?

--
nosy: +ronaldoussoren

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42987] HTTP header injection in urllib on windows

[Gregory P. Smith]

Gregory P. Smith  added the comment:

Have you tried this on a more recent Python?  works for me on 3.7.8 on macos.

Python 3.7.8 (v3.7.8:4b47a5b6ba, Jun 27 2020, 04:47:50) 
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.request import urlopen
>>> remote_image = urlopen('http://127.0.0.1:6379/\r\nset ce test\r\n/1.jpg')
Traceback (most recent call last):
  File "", line 1, in 
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py",
 line 222, in urlopen
return opener.open(url, data, timeout)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py",
 line 525, in open
response = self._open(req, data)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py",
 line 543, in _open
'_open', req)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py",
 line 503, in _call_chain
result = func(*args)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py",
 line 1378, in http_open
return self.do_open(http.client.HTTPConnection, req)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/urllib/request.py",
 line 1350, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py",
 line 1262, in request
self._send_request(method, url, body, headers, encode_chunked)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py",
 line 1273, in _send_request
self.putrequest(method, url, **skips)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py",
 line 1116, in putrequest
self._validate_path(url)
  File 
"/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py",
 line 1207, in _validate_path
raise InvalidURL(f"URL can't contain control characters. {url!r} "
http.client.InvalidURL: URL can't contain control characters. '/\r\nset ce 
test\r\n/1.jpg' (found at least '\r')


If this is somehow Windows specific (that'd be surprising), I don't have 
windows and someone else will need to confirm.

--
nosy: +gregory.p.smith

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36456] task.cancel unbound recursion

[Dima Tisnek]

Dima Tisnek  added the comment:

Py3.10: tested on v3.10.0a3:8bae2a958e and v3.10.0a4:445f7f54b1

--
versions: +Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36456] task.cancel unbound recursion if task is deadlocked

[Dima Tisnek]

Change by Dima Tisnek :


--
title: task.cancel unbound recursion -> task.cancel unbound recursion if task 
is deadlocked

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42987] HTTP header injection in urllib on windows

[STINNER Victor]

STINNER Victor  added the comment:

> My python version is 3.7.2

Please upgrade, you version contains at least two fixed HTTP Header Injection 
vulnerabilities:

https://python-security.readthedocs.io/vuln/http-header-injection-method.html
https://python-security.readthedocs.io/vuln/urlopen-host-http-header-injection.html

I close the issue.

--
nosy: +vstinner
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42987] HTTP header injection in urllib on windows

[bfpiaoran]

bfpiaoran  added the comment:

ok i tried it, indeed

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42987] HTTP header injection in urllib on windows

[STINNER Victor]

STINNER Victor  added the comment:

FYI I wrote https://github.com/vstinner/check_python_vuln tool to check known 
Python vulnerabilities. But I didn't write a check for all known 
vulnerabilities. Contributions are welcome ;-)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42987] HTTP header injection in urllib on windows

[bfpiaoran]

bfpiaoran  added the comment:

I encountered a problem with this project 
https://github.com/zhangfisher/DjangoUeditor, but it seems that it is no longer 
maintained :)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33289] tkinter askcolor returning floats for r, g, b values instead of ints

[Terry J. Reedy]

Terry J. Reedy  added the comment:

https://www.tcl.tk/man/tcl8.6/TkCmd/winfo.htm says
"winfo rgb window color
Returns a list containing three decimal values in the range 0 to 65535, 
which are the red, green, and blue intensities that correspond to color in the 
window given by window. Color may be specified in any of the forms acceptable 
for a color option."

Since tk represents data as strings, 'decimal value in [0, 65535)' means 
'integer value represented by decimal digits'.  'correspond to color in the 
window' implies that the mapping from color to decimal value could depend on 
the window.  The mapping *does* differ between systems (see below).

https://www.tcl.tk/man/tcl8.6/TkLib/GetColor.htm
Lists possible return values, hence acceptible forms, as name or '#' followed 
by 1 to 4 hex digits.  It continues with "Each R, G, or B represents a single 
hexadecimal digit. The four forms permit colors to be specified with 4-bit, 
8-bit, 12-bit or 16-bit values. When fewer than 16 bits are provided for each 
color, they represent the most significant bits of the color, while the lower 
unfilled bits will be repeatedly replicated from the available higher bits. For 
example, #3a7 is the same as #."

This omits to say what happens when there are 2 or 3 hex digits.  Windows 
ignores 3rd and 4th hex digits.  On Windows, dividing by 257 instead of 256 
would be correct.  However, 256 works because the 'error', represented by the 
remainder, is always in [0, 256).  MacOS does not ignore digits.

https://www.tcl.tk/man/tcl8.6/TkCmd/colors.htm
Lists current color names and their values as 16 bit decimals.

The PR is blocked because the new colorchooser tests pass on Windows and macOS 
but fail on Ubuntu.  Cheryl speculated that the color names values vary across 
systems.  I think that it might instead be a coding issue, but I want to 
understand coding on Windows and Mac better before looking into Linux.

--
versions: +Python 3.10 -Python 3.6, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

[Ryan Hileman]

Ryan Hileman  added the comment:

I just found out that generator object variants have their own code attributes. 
I investigated the stdlib usage and it seems to be for debug / dis only, so 
adding these attributes shouldn't impact performance.

I updated the PR to now cover the following attributes:

PyTracebackObject.tb_frame
PyFrameObject.f_code
PyGenObject.gi_code
PyCoroObject.cr_code
PyAsyncGenObject.ag_code

I have also attached a `check_hooks.py` file which allows for quick visual 
inspection that all of the hooks are working (It prints each attribute name, 
then accesses it. Expected output is an AUDIT line after each attribute 
printed.)

--
Added file: https://bugs.python.org/file49755/check_hooks.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42970] File path with blank causes open error in 3.8, not in 3.7

[Serhiy Storchaka]

Serhiy Storchaka  added the comment:

Please provide complete script that reproduces the issue. The provided three 
lines do not open any file and cannot generate such error.

It could help to add the debug prints:

print(f'mySrcFldr = {mySrcFldr!a}')
print(f'srcFldr = {srcFldr!a}')
print(f'f = {f!a}')

--
nosy: +serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42923] Py_FatalError(): dump the list of extension modules

[STINNER Victor]

STINNER Victor  added the comment:

See also bpo-42955 "Add sys.module_names: list of stdlib module names (Python 
and extension modules)".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42856] ensurepip: add configure --with-wheel-pkg-dir=PATH to get wheel packages from a system directory

[STINNER Victor]

Change by STINNER Victor :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42970] File path with blank causes open error in 3.8, not in 3.7

[Ronald Oussoren]

Ronald Oussoren  added the comment:

This might be a security feature in Big Sur, access to some locations is 
restricted by default. I'm not sure if that includes ~/Library, it definitely 
affects access to ~/Documents. I'd expect to see a security pop-up from the 
system though.

I cannot reproduce this with python 3.9.1 on Big Sur on an M1 system.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42780] os.set_inheritable() fails for O_PATH file descriptors on Linux

[STINNER Victor]

STINNER Victor  added the comment:


New changeset 844ec0ba6606b60a59b7da82c54c1e646424259c by cptpcrd in branch 
'3.8':
bpo-42780: Fix set_inheritable() for O_PATH file descriptors on Linux 
(GH-24172) (GH-24277)
https://github.com/python/cpython/commit/844ec0ba6606b60a59b7da82c54c1e646424259c


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42780] os.set_inheritable() fails for O_PATH file descriptors on Linux

[STINNER Victor]

STINNER Victor  added the comment:


New changeset 6893523bed4ad701838715380659c245eec71d48 by cptpcrd in branch 
'3.9':
bpo-42780: Fix set_inheritable() for O_PATH file descriptors on Linux 
(GH-24172) (GH-24278)
https://github.com/python/cpython/commit/6893523bed4ad701838715380659c245eec71d48


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42780] os.set_inheritable() fails for O_PATH file descriptors on Linux

[STINNER Victor]

STINNER Victor  added the comment:

Thanks cptpcrd for the bug report, the fix and for the two manual backports ;-)

Note: Python 3.6 and 3.7 no longer accept bugfixes.
https://devguide.python.org/#status-of-python-branches

--
versions:  -Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42951] Random and infinite loop in dealing with recursion error for "try-except "

[Mark Shannon]

Mark Shannon  added the comment:

Yes, see PEP 651

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42951] Random and infinite loop in dealing with recursion error for "try-except "

[Mark Shannon]

Change by Mark Shannon :


--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42925] Error trace of else inside class

[Mark Shannon]

Change by Mark Shannon :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42917] Block stack size for frame objects should be dynamically sizable

[Mark Shannon]

Mark Shannon  added the comment:

I see no advantage of getting rid of the limit of 20.

No one ever gets near 20 deep in practice.
Given the limit has been there for so long, it is likely that some tooling that 
expects the depth of try-statements to be limited.

Why would a code generator need to nest try statements so deeply? I'm curious.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42752] multiprocessing Queue leaks a file descriptor associated with the pipe writer (#33081 still a problem)

[mattip]

Change by mattip :


--
nosy: +davin, pitrou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

[Mark Shannon]

Mark Shannon  added the comment:

I agree with Victor, we should not be attempting to build a sandbox.
https://www.python.org/dev/peps/pep-0578/#why-not-a-sandbox

Preventing access to global variables is next to impossible. Adding more and 
more hooks to prevent access to globals, merely adds the illusion of security. 
Sooner or later, someone will find a path to globals that would have a serious 
impact on performance to block.

We should assume that globals are accessible from user code, and write the 
audit function accordingly. Either in C or using a closure.

--
nosy: +Mark.Shannon

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41545] gc API requiring matching number of gc.disable - gc.enable calls

[Yonatan Goldschmidt]

Yonatan Goldschmidt  added the comment:

Dennis, you're right. I guess I missed it when I previously searched for 
matching issues. https://bugs.python.org/issue31356 indeed solves my problem. 
Closing this as a duplicate.

--
resolution:  -> duplicate
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p

[Miro Hrončok]

New submission from Miro Hrončok :

Hello Python security,
a Fedora user has reported the following security vulnerability to us (I was 
able to verify it):

Running `pydoc -p` allows other local users to extract arbitrary files.

Steps to Reproduce:
1. start pydoc on a port
2. as a different user guess or extract the port
3. call getfile on the server to extract arbitrary files, e.g. 
http://localhost:/getfile?key=/home/dave/.ssh/id_rsa

Actual results:
any local user on the multi-user system can read all my keys and secrets

Expected results:
Access is prevented.

Additional info:
At least a warning should be printed, that this is insecure on multi-user 
systems.

Python notebook works around this by providing a token that is required to 
access the notepad. Depending on the system being able to read arbitrary files 
can allow to impersonate my, by  e.g. stealing my ssh-key (if it is 
non-encrypted) 



I've originally reported this to secur...@python.org but I was asked to open a 
public issue here.

--
components: Library (Lib)
messages: 385412
nosy: hroncok
priority: normal
severity: normal
status: open
title: Information disclosure via pydoc -p
type: security
versions: Python 3.10, Python 3.6, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p

[Julien Palard]

Julien Palard  added the comment:

Nice find! I am able to reproduce it too in many Python releases.

I see differnt ways we can fix it:


# Using a random secret generated at startup time

Used any way, like by providing an hmac on getfile urls to ensure they are 
signed with the server secret.

Con: getfile URLS won't work from a run to another run (the secret should be 
random and changed at every start), and can't be shared (do someone share them 
in the first place?)


# Allowlist according to sys.path

In getfile implementation, we can check if the asked path is under a path from 
sys.path.

Con: If someone have ~/ in sys.path, we still can access all its home, or if 
someone start it using `python -m pydoc` while being in its home directory as 
Python will prepend the cwd in sys.path.


# Allowlist populated while generating links

Idea is: each time the server generates a getfile link, the target is added to 
an allowlist.

Each time a getfile link is requested, if the file is not in the allowlist, 
request is denied.

Con: Refreshing a page won't work after a server restart (thus having an empty 
allowlist).


# fnmatch allowlist

We could allow only `.py` files.

Con: Secrets stored in `.py` files under user project could still be leaked.


-

My personal preference goes for the allowlist populated while generating links.

--
nosy: +mdk

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42780] os.set_inheritable() fails for O_PATH file descriptors on Linux

[cptpcrd]

cptpcrd  added the comment:

No problem! I've noticed at least one other (relatively minor) issue in `os`, 
so I may be submitting further bug reports.

I haven't been keeping close track of 3.6/3.7's status, so I added them in 
without thinking it. Thanks for the reminder.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42955] Add sys.module_names: list of stdlib module names (Python and extension modules)

[hai shi]

Change by hai shi :


--
nosy: +shihai1991

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p

[STINNER Victor]

Change by STINNER Victor :


--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p

[STINNER Victor]

STINNER Victor  added the comment:

Downstream Fedora issue: https://bugzilla.redhat.com/show_bug.cgi?id=1917807

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42985] AMD64 Arch Linux Asan 3.x fails: command timed out: 1200 seconds without output

[STINNER Victor]

STINNER Victor  added the comment:

It seems like something changed on the buildbot, not in Python, since it also 
fails on 3.8 and 3.9.

AMD64 Arch Linux Asan 3.9:
https://buildbot.python.org/all/#builders/579/builds/105

AMD64 Arch Linux Asan 3.8:
https://buildbot.python.org/all/#builders/580/builds/86

IMO we should disable ASAN (handling of signals) at runtime when we trigger a 
crash on purpose (ex: faulthandler._sigsegv()).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Looking at the _url_handler() code in pydoc.py, this was clearly not written 
with web server standards in mind. None of the handlers apply security checks 
on the user input and there are most likely several other vulnerabilities in 
there to be found.

It's not just the getfile query allowing reading arbitrary files. The user may 
well have code in his or her Python installation which is not meant to be 
published to other users on the same server.

I'd suggest to print a big warning on the console, explaining that the web 
server will potentially make all content accessible by the user visible to 
anyone else on the same server.

Perhaps adding some extra check to the html_getfile() handler would be good as 
well, making sure that the path is on sys.path and maps to a Python file (there 
could be non-Python file resources in package dirs as well).

Alternatively, perhaps the whole getfile logic could be removed and the web 
server just provide the path to the source file (as file:// link), so that the 
user can easily open it, but needs access permissions for this to be successful.

--
nosy: +lemburg

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42985] AMD64 Arch Linux Asan 3.x fails: command timed out: 1200 seconds without output

[STINNER Victor]

STINNER Victor  added the comment:

About SIGSEGV logs, one option is to use ASAN_OPTIONS="handle_segv=0".

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42985] AMD64 Arch Linux Asan 3.x fails: command timed out: 1200 seconds without output

[STINNER Victor]

STINNER Victor  added the comment:

Documentation of ASAN_OPTIONS:
https://github.com/google/sanitizers/wiki/SanitizerCommonFlags
https://github.com/google/sanitizers/wiki/AddressSanitizerFlags

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

[STINNER Victor]

STINNER Victor  added the comment:

I searched for "pydoc by Ka-Ping Yee" in Google and only found two online pydoc 
services:

* https://gae-pydoc.appspot.com/
* 
http://www.cc.kyoto-su.ac.jp/~atsushi/Programs/VisualWorks/CSV2HTML/CSV2HTML_PyDoc/index_of_modules.html

The first one runs on Python 2.7 which doesn't have the getfile feature (added 
in Python 3.6), the second one is a static website.

=> there is no public vulnerable website: good!

I don't think that pydoc is commonly used to run a server on the Internet.

--
title: Information disclosure via pydoc -p -> Information disclosure via pydoc 
-p: /getfile?key=path allows to read arbitrary file on the filesystem

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

[STINNER Victor]

STINNER Victor  added the comment:

An option is also to remove the whole getfile feature. It was added in bpo-2001 
by:

commit 7bb30b72d8a165f8bacbc480b8d5a15834fa4c35
Author: Nick Coghlan 
Date:   Fri Dec 3 09:29:11 2010 +

Improve Pydoc interactive browsing (#2001).  Patch by Ron Adam.

* A -b option to start an enhanced browsing session.
* Allow -b and -p options to be used together.
* Specifying port 0 will pick an arbitrary unused socket port.
* A new browse() function to start the new server and browser.
* Show Python version information in the header.
* A *Get* field which takes the same input as the help() function.
* A *Search* field which replaces the Tkinter search box.
* Links to *Module Index*, *Topics*, and *Keywords*.
* Improved source file viewing.
* An HTMLDoc.filelink() method.
* The -g option and the gui() and serve() functions are deprecated.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

[STINNER Victor]

STINNER Victor  added the comment:

The getfile feature is used to display the source code of a Python module.

For example, on the difflib documentation, there a link to difflib.py. If you 
click, a webpage displays the content of the file.

I suggest to remove the whole feature. I don't think that it's so useful, 
compared to the vulnerability.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42911] Addition chains for pow saves 5-20% time for pow(int, int)

[Jurjen N.E. Bos]

Jurjen N.E. Bos  added the comment:

Well, I would argue that there is already quite a work going to for 
crypto-sized computations in the integer code, as well as the crypto-oriented 
.bit_count() function that was recently added.

For starters, the arguably crypto-oriented three argument pow() was there from 
Python 0.1 already, where I used it :-).
There's Karatsuba multiplication, five-ary powering, and quite a few 
optimizations on the speed of the number conversion.

And then of course the incredible implementation of Decimal, which does include 
a subquadratic division. I would say this would fit there.

And maybe I'll make a subquadratic division for ints someday...

Tim, your vote please...

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42911] Addition chains for pow saves 5-20% time for pow(int, int)

[Jurjen N.E. Bos]

Jurjen N.E. Bos  added the comment:

...not to mention the new gcd and lcm functions, and the fact that the number 
conversion is linear for exponent-of-two bases, and the negative power modulo a 
prime number!

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

[Ryan Hileman]

Ryan Hileman  added the comment:

My personal motivation is not to unilaterally prevent access to globals, but to 
close a simpler gap in the audit system that affects a currently deployed high 
performance production system (which is not trying to be a sandbox). I am also 
already using a C audit hook for my purposes.

If you are referencing vstinner's first message, please remember to read their 
follow up https://bugs.python.org/msg384988 where they seem to have changed 
their mind in support of the patch.

The audit attributes I'm chasing here are fairly small in scope, and 
overwhelmingly only used in debug code. I believe adding them is in the spirit 
of the original PEP. I have also done extensive testing and CPython C and 
stdlib code analysis as part of this effort.

If you agree with the original PEP authors that __code__ and sys._getframe() 
are worth auditing, then I believe this is a natural extension of that concept. 
My patch improves upon the PEP by increasing the audit coverage to every way I 
can see of getting a frame and code object from basic CPython types.

This is a simple patch with clear performance metrics. I don't see any reason 
to expand the scope of this in the future unless CPython adds another basic 
object type along the same lines (e.g. a new async function type, a new 
traceback type, or a new frame type).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42977] Tkinter Optionmenu Too Narrow on Mac

[E. Paine]

E. Paine  added the comment:

I suspect this is just a MacOS behaviour, if not then it is a Tk bug. If you 
really need to enforce the width, you could tell it to expand horizontally in 
the layout. An example of this would be as follows:

tk.Frame(root, height=1, width=300).pack()
tk.OptionMenu(root, tk.StringVar(), "test").pack(fill="x")

A bit more detail on the Tk side of things:
tkinter doesn't actually use `tk_optionMenu` and instead creates its own 
menubutton and menu. The issue with the menubutton width not changing also 
exists when working directly with Tk (`pack [menubutton .p -width 100]`). 
However, the same behaviour can be shown when using `tk_optionMenu`, so 
changing tkinter to use that instead would not fix this issue.

--
nosy: +epaine, serhiy.storchaka

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42989] Bug

[Andrew C]

New submission from Andrew C :

if playerChoice == "2": reports the ":" as a "syntax error"

--
components: Windows
messages: 385427
nosy: ASCRong, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: Bug
type: behavior
versions: Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42985] AMD64 Arch Linux Asan 3.x fails: command timed out: 1200 seconds without output

[Senthil Kumaran]

Senthil Kumaran  added the comment:

> IMO we should disable ASAN (handling of signals) at runtime when we trigger a 
> crash on purpose (ex: faulthandler._sigsegv()).

> ASAN_OPTIONS="handle_segv=0".

Both sound reasonable. But not sure if they will resolve this crash tough.

--
nosy: +orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

[Mark Shannon]

Mark Shannon  added the comment:

If the point of the proposed change is not to deny access to globals, then what 
is the point of it?

You say that this change is to "close a simpler gap in the audit system".
What it is that the audit system is supposed to prevent, that is currently 
possible, and that your proposed change would prevent?

I'm worried that we end up adding more and more hooks. Performance and 
maintainability will suffer.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue1375011] http.cookies, Cookie.py: Improper handling of duplicate cookies

[Christoph Zwerschke]

Christoph Zwerschke  added the comment:

This patch should really be included.

As carl already mentioned, the relevant spec is RFC 6265, see section 5.4.2: 
"The user agent SHOULD sort the cookie-list in the following order: Cookies 
with longer paths are listed before cookies with shorter paths. Among cookies 
that have equal-length path fields, cookies with earlier creation-times are 
listed before cookies with later creation-times."

Currently, if the cookies are loaded with cookies.load(env['HTTP_COOKIE']) as 
most web frameworks do, then the cookies will be populated with the least 
specific or oldest values if there are duplicates. This is really bad.

--
nosy: +cito

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42989] Bug

[Zachary Ware]

Zachary Ware  added the comment:

That line on its own will cause an IndentationError, which is a subclass of 
SyntaxError.  However, out of context, without the full traceback, and without 
a description of your environment, the only thing I have to go on here is the 
fact that the vast majority of syntax errors are problems in user code, not 
Python itself.  This is not a forum for getting help with your own program, but 
you can try out discuss.python.org or the python-l...@python.org mailing list 
for that.

--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42990] Improve the C code for calling Python code

[Mark Shannon]

New submission from Mark Shannon :

Currently, to make a call to Python (modules, classes, etc, not just functions) 
from C has to use the monster that is `_PyEval_EvalCode`.
As Python has adding features over the years, _PyEval_EvalCode has grown and 
grown. It is time for a refactor.

`_PyEval_EvalCode` takes 16, yes sixteen parameters!
Those 16 parameters fall into two main groups, one describing the function 
being called, and the other describing the arguments to the call.
Due to the jumbo size and complexity of _PyEval_EvalCode, we also have 
specialised forms of it, e.g. _PyFunction_Vectorcall that handle common cases 
and then bail to _PyEval_EvalCode in other cases.

In outline _PyEval_EvalCode performs the following actions:
1. Make a new frame.
2. Fill in that frame using the arguments and defaults provided.
3. If the code object has flags set for a generator, or coroutine, return a new 
generator or coroutine.
4. Otherwise call the interpreter with the newly created frame.

As _PyEval_EvalCode or its earlier equivalents have gained arguments, they have 
a left of list of legacy functions. It is not clear what is the "correct" 
function to use in C extensions. Hopefully extension code uses the 
`PyObject_Call` API, but `PyEval_EvalCodeEx` is part of the C-API.


To improve this situation, I propose:

A new C struct, the "frame descriptor" which contains the code object, 
defaults, globals, and names that describe the code to be executed. 
`PyFunctionObject` would wrap this, to simplify the common case of calling a 
Python function. 

Split the Eval functions into vector and tuple/dict forms, both forms taking a 
"frame descriptor", as well as the arguments.

Mark the older forms of the Eval functions as "legacy", creating a local "frame 
descriptor" and transforming the arguments in vector or tuple/dict forms, in 
the legacy functions.

Factor out the frame creation part of the Eval functions.


The above changes will be necessary for PEP 651, but I think would be a 
worthwhile improvement even if PEP 651 is not accepted.

--
assignee: Mark.Shannon
components: Interpreter Core
messages: 385432
nosy: Mark.Shannon
priority: normal
severity: normal
stage: needs patch
status: open
title: Improve the C code for calling Python code

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42035] [C API] PyType_GetSlot cannot get tp_name

[hai shi]

hai shi  added the comment:

Wait. petr mentioned `_PyType_Name` in PR 23903 which use the short name. So I 
am not sure which way is better. Lol~

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42966] argparse: customizable help formatter

[hai shi]

Change by hai shi :


--
nosy: +paul.j3, rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

[Ken Jin]

Change by Ken Jin :


--
keywords: +patch
nosy: +kj
nosy_count: 4.0 -> 5.0
pull_requests: +23104
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24285

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33289] tkinter askcolor returning floats for r, g, b values instead of ints

[Terry J. Reedy]

Terry J. Reedy  added the comment:

65535 = 35536 - 1 = 256 * 256 - 1 == 255 * 257

On Windows, each r, g, b value is n * 257 for n in range(256) (see attached 
file).  The precision loss happens when colors are stored, before the division 
in winfo_rgb.  Perhaps 8 bits/channel (including alpha) is baked in.

Since divmod(n * 257, 257) = (n, 0) and divmod(n * 257, 256) = (n, n),
(n*257) // m = divmod(n*257, m)[0] = n whether m is 256 or 257.
---

macOS appears (from limited experiments) to handle 1 and 2 digits the same as 
Windows (repeat 4 or 2 times): val('#a00') = val('#') = 0x, 
val('#ab') = val('#abab') = 0xabab.  4 digits are left alone while 
3 digits use the 1st as the 4th val('#abc00') = val('#abca') = 
0xabca.

--
Added file: https://bugs.python.org/file49756/tk_rgb.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

[Ken Jin]

Ken Jin  added the comment:

I created a PR to remove the getfile function - now it just places the 
hyperlinked file path there but clicking on it won't render the file contents.

Personally I agree with Marc-Andre Lemburg's comments on how _url_handler 
probably has other vulnerabilities somewhere. But I don't really see an easy 
solution other than removing the web server altogether. It uses http.server, 
which has a disclaimer on the docs page saying it isn't recommended for 
production. Someone looking hard enough can probably find a few more 
vulnerabilities in http.server itself rather than just pydoc.

I think the "Allowlist populated while generating links" suggested by Julien is 
pretty clever. 

I thought about file: // approach too - it's probably the most secure. But it 
would require a lot of change (and also generating all the .py files to .html 
initially).

Maybe I'll make a PR exploring the other approaches if the current one isn't 
favorable.

Thanks for your time.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42606] Support POSIX atomicity guarantee of O_APPEND on Windows

[Alexey Izbyshev]

Alexey Izbyshev  added the comment:

> It's possible to query the granted access of a kernel handle via 
> NtQueryObject: ObjectBasicInformation

Ah, thanks for the info. But it wouldn't help for option (1) that I had in mind 
because open() and os.open() currently set only msvcrt-level O_APPEND.

It probably could be used in my current PR instead of just assuming the default 
access rights for file handles, but I'm not sure whether it makes sense: can a 
new handle have non-default access rights? Or can the default change at this 
point of Windows history?

> Python could implement its own umask value in Windows. os.umask() would set 
> the C umask value as well, but only for the sake of consistency with C 
> extensions and embedding.

Would it be a long shot to ask MS to add the needed functionality to MSVCRT 
instead? Or at least to declare the bug with _umask_s() that I described a 
feature. Maybe Steve Dower could help.

> Open attribute flags could also be supported, such as O_ATTR_HIDDEN and 
> O_ATTR_SYSTEM. These are needed because a hidden or system file is required 
> to remain as such when it's overwritten, else CreateFileW fails.

I didn't know that, thanks. Indeed, a simple open(path, 'w') fails on a hidden 
file with "Permission denied".

> If it's important enough, msvcrt.open() and msvcrt.O_TEXT could be provided.

Yes, I'd be glad to move support for more obscure MSVCRT flags to msvcrt.open() 
-- the less MSVCRT details we leak in os.open(), the more freedom we have to 
implement it via proper Win32 APIs.

===

Anyway, even if the blockers for implementing open()/os.open() via CreateFile() 
are solved, my current PR doesn't seem to conflict with such an implementation 
(it could just be replaced in the future).

Currently, the only way to achieve atomic append in Python on Windows that I 
know is to use a custom opener that would call CreateFile() with the right 
arguments via ctypes/pywin32/etc.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33289] tkinter askcolor returning floats for r, g, b values instead of ints

[Serhiy Storchaka]

Serhiy Storchaka  added the comment:

I do not understand why #abc00 and #abcd give 0xabab on my computer 
(Linux) and even weirder result on Ubuntu on CI. Reading the code I expected 
the same behavior as on macOS.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33289] tkinter askcolor returning floats for r, g, b values instead of ints

[Terry J. Reedy]

Terry J. Reedy  added the comment:

Your Linux result is the same as on Windows. Given strings 'abc' or 'abcd', 
ignore 'c' or 'cd' and expand 'ab' to 'abab', making value 0xabab.  Is your 
computer Ubuntu (implying that personal Ubuntu != CI Ubuntu) or a different 
Linux?  Are there tk/tcl compilation flags or X window options that could 
affect stored color values?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42514] Relocatable framework for macOS

[Tom Goddard]

Change by Tom Goddard :


--
nosy: +tomgoddard

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42888] Not installed “libgcc_s.so.1” causes exit crash.

[Alexey Izbyshev]

Alexey Izbyshev  added the comment:

Thank you for testing. I've added a NEWS entry to the PR, so it's ready for 
review by the core devs.

Note that PyThread_exit_thread() can still be called by daemon threads if they 
try to take the GIL after Py_Finalize(), and also via C APIs like 
PyEval_RestoreThreads() (see bpo-42969), so, in general, libgcc_s is still 
required for CPython.

--
versions: +Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42969] pthread_exit & PyThread_exit_thread from PyEval_RestoreThread etc. are harmful

[Alexey Izbyshev]

Change by Alexey Izbyshev :


--
nosy: +izbyshev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

[Ryan Hileman]

Ryan Hileman  added the comment:

My understanding as per the outline in PEP 551 as well as PEP 578, is that the 
audit system is meant primarily to observe the behavior of code rather than to 
have good sandbox coverage / directly prevent behavior.

I am using audit hooks to observe the behavior of third party Python, and I 
identified an indicator of shady behavior which includes code and frame object 
access (which includes sys._getframe(), and __code__, both of which are part of 
the original PEP 578).

I looked into it further and realized the CPython's auditing for those 
attributes/objects is superficial. I understand that auditing isn't perfect, 
and I'm not trying to change that. This patch just seems to me like a really 
basic and obvious extension of the existing __code__ and getframe audit points.



I ask that if your main hesitation is the impact of future audit hooks, we use 
this opportunity to establish a basic written precedent we can reference in the 
future about which kind of audit hook modifications are likely to be accepted 
without, say, another PEP.

One possible set of criteria:
 - The added hooks should be justified as functionally identical to something 
the existing PEP(s) suggested.
 - Performance should be measured and it should have very little impact on 
stdlib or general code.
 - The requester should be expected to justify the change, e.g. how it closes 
an obvious gap in an existing PEP 578 hook.

And my answers for those criteria:
 - These are functionally equivalent to the existing PEP 578 hooks for 
sys._getframe() and function.__code__ - they operate on similar types of 
objects and are used for accessing the exact same information.
 - Performance impact here appears to be only for debugging code, and 
performance impact on debugging code is infinitesimal when no audit hook is 
active.
 - I am auditing code for trivial usage of Python frames and code objects, and 
I can't do that sufficiently with the existing hooks (especially so now that 
I'm publicly documenting this gap).



If the primary complaint is maintenance burden, would it be preferable to add 
an attribute audit flag to PyMemberDef instead of using one-off PyGetSetDef 
functions? e.g.:

static PyMemberDef frame_memberlist[] = {
{"f_code",  T_OBJECT,   OFF(f_code),  
READONLY|AUDIT_ACCESS},
}

That would definitely simplify the implementation.

If these additions aren't worth it, I would almost recommend removing or 
deprecating the existing __code__ and sys._getframe() audit hooks instead, as I 
find them to be not very useful without this patch.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33289] tkinter askcolor returning floats for r, g, b values instead of ints

[Serhiy Storchaka]

Serhiy Storchaka  added the comment:


New changeset 6713e869c4989c04318158b406c30a147ea52904 by Cheryl Sabella in 
branch 'master':
bpo-33289: Return RGB triplet of ints instead of floats from 
tkinter.colorchooser (GH-6578)
https://github.com/python/cpython/commit/6713e869c4989c04318158b406c30a147ea52904


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42982] Update suggested number of iterations for pbkdf2_hmac()

[Christian Heimes]

Christian Heimes  added the comment:

Is there any scientific research or mathematical proof for 250,000 iteration?

--
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42991] support for splitting multichannel audio fragments in audioop module

[Ramon]

New submission from Ramon :

All functions from the audioop module that work on stereo fragments, provide 
the same behaviour on multichannel (i.e. 5.1 channel LPCM) fragments. This is, 
however, not true for the tomono() function, that only makes sense when 
supplied with a 2-channel fragment.

Therefore, I suggest adding an extra function to the module that demultiplexes 
any N-channel fragment and returns a given channel as mono fragment:
audioop.demux(fragment, width, nChannels, channel)

When, for example, applied to a 16 bit stereo fragment, audioop.demux(fragment, 
2, 2, 0) would give the same result as audioop.tomono(fragment, 2, 1.0, 0).

--
components: Extension Modules
messages: 385443
nosy: Th4R4
priority: normal
severity: normal
status: open
title: support for splitting multichannel audio fragments in audioop module
type: enhancement
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42991] support for splitting multichannel audio fragments in audioop module

[Ramon]

Change by Ramon :


--
keywords: +patch
pull_requests: +23105
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24286

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42991] support for splitting multichannel audio fragments in audioop module

[Ramón Fraterman]

Change by Ramón Fraterman :


--
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42862] Use functools.lru_cache iso. _sqlite.Cache in sqlite3 module

[Erlend Egeberg Aasland]

Erlend Egeberg Aasland  added the comment:

This works:

1) fully implement GC in connection (bpo-42972)
2) also visit statement_cache
3) explicitly close connections _and_ call GC in problematic tests

The first point might not be needed for this particular fix.
The last point is a workaround, not a solution. Or is it ok to call 
gc.collect() in the test suite?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42862] Use functools.lru_cache iso. _sqlite.Cache in sqlite3 module

[Erlend Egeberg Aasland]

Erlend Egeberg Aasland  added the comment:

> Or is it ok to call gc.collect() in the test suite?

Seems like it's ok:

$ grep -r gc.collect Lib/test | wc -l
366

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42991] support for splitting multichannel audio fragments in audioop module

[Ramón Fraterman]

Change by Ramón Fraterman :


--
status: pending -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42992] Tkinter bbox coordinates incorrectly drawn

[Ron Hoffmann]

New submission from Ron Hoffmann :

position coordinates retrieved from any object on a canvas with
pos = canvas.bbox(object) are returned correctly

but when drawn on the canvas (x0,y0) are correct, but
(x1, y1) are not drawn in the proper positions. x1 has been divided by 2 
somewhere and y1 as been multiplied by 2 somewhere.
in order for the bounding box to be drawn correctly
x1 and y1 need to be recalculated as follows

x1 = pos[0] + ( ( pos[2] - pos[0] ) * 2 )
y1 = pos[1] + ( ( pos[3] - pos[1] ) / 2 )

--
components: Tkinter
messages: 385446
nosy: rhoffmann
priority: normal
severity: normal
status: open
title: Tkinter bbox coordinates incorrectly drawn
type: behavior
versions: Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42993] doc xml.etree.ElementTree.ElementTree.write does not mention attribute order

[Christian Buhtz]

New submission from Christian Buhtz :

The docs for 'xml.etree.ElementTree.ElementTree.write' in Python 3.7 (and 
possible earlier) does not say a word about the ordering of the attributes.

This makes unittesting hard.

But looking in the code tells me that the attributes are ordered lexically. 
Important to know. So please upgrade the docu about that.

In Python 3.8 the ordering behavior changed again but is mentioned in the docu. 
So no need to change in 3.8 or later.

--
assignee: docs@python
components: Documentation
messages: 385448
nosy: buhtz, docs@python
priority: normal
severity: normal
status: open
title: doc xml.etree.ElementTree.ElementTree.write does not mention attribute 
order
type: enhancement
versions: Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42980] argparse: GNU-style help formatter

[paul j3]

paul j3  added the comment:

The refactoring looks reasonable.

But while we are tweaking:

def _format_action_invocation(self, action):

I wonder if we also give users more control over how multiple option strings 
are formatted.  Currently if 

 parser.add_argument('-f', '--foo', help='something')

the help line will be

 -f FOO, --foo FOO something

with this alternate formatter it would be (I think)

 -f FOO, --foo=FOO something

But with longer option strings users often want

 -f, --foo FOO something

or even just

 -f, --foo something

we can almost get the last with `metavar=''`

 -f , --foosomething

which has a superfluous space before the comma.

I don't recall if there's already a bug/issue for this or not.  Maybe the fix 
is a subclass with a complete replacement of this _format_action_invocation 
method.  I'll have do more research (here and on Stackoverflow).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42994] Missing MIME types for opus, AAC and 3gpp(2)

[Nathan Beals]

New submission from Nathan Beals :

These are officially recognized MIME types by IANA: 
https://www.iana.org/assignments/media-types/media-types.xhtml#audio

- .opus: audio/opus (https://www.iana.org/assignments/media-types/audio/opus 
and https://tools.ietf.org/html/rfc7845 for recommended file extension)
- .aac: audip/aac (https://www.iana.org/assignments/media-types/audio/aac)
- .3gp: audio/3gpp (https://www.iana.org/assignments/media-types/audio/3gpp)
- .3g2: audio/3gpp2 (https://www.iana.org/assignments/media-types/audio/3gpp2)

--
components: Library (Lib)
messages: 385449
nosy: nbeals
priority: normal
severity: normal
status: open
title: Missing MIME types for opus, AAC and 3gpp(2)
type: enhancement
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42994] Missing MIME types for opus, AAC, 3gpp and 3gpp2

[Nathan Beals]

Change by Nathan Beals :


--
title: Missing MIME types for opus, AAC and 3gpp(2) -> Missing MIME types for 
opus, AAC, 3gpp and 3gpp2

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42447] robotsparser deny all with some rules

[Terry J. Reedy]

Change by Terry J. Reedy :


--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42800] Traceback objects allow accessing frame objects without triggering audit hooks

[Ryan Hileman]

Ryan Hileman  added the comment:

How's this for maintainable?

https://github.com/lunixbochs/cpython/commit/2bf1cc93d19a49cbed09b45f7dbb00212229f0a1

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42995] Add PurePath.with_suffix_appended()

[Brendan Gerrity]

New submission from Brendan Gerrity :

Appending a new suffix to a file is common operation.

The operations don't come across as elegant:

e.g. `foo_path.with_suffix(foo_path.suffix + ".old")`

--
components: Library (Lib)
messages: 385451
nosy: bgerrity
priority: normal
severity: normal
status: open
title: Add PurePath.with_suffix_appended()
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42995] Add PurePath.with_suffix_appended()

[Brendan Gerrity]

Brendan Gerrity  added the comment:

This could addressed with either a new helper or an option in the 
`PurePath.with_suffix()`.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42994] Missing MIME types for opus, AAC, 3gpp and 3gpp2

[Nathan Beals]

Change by Nathan Beals :


--
keywords: +patch
pull_requests: +23107
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24287

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42980] argparse: GNU-style help formatter

[Will Noble]

Will Noble  added the comment:

The main contribution of my PR is simply factoring out _format_option_with_args 
as an overridable method. Note that this actually enables subclassing 
HelpFormatter to produce all the examples you presented above with 1-3 trivial 
lines of code, as opposed to overriding the entire _format_action_invocation 
which is 20 lines in the base class.

If HelpFormatter had a stable internal structure (i.e. some sort of assurance 
that it's overridable methods were not subject to change), I wouldn't have 
bothered including an implementation of GnuStyleLongOptionsHelpFormatter in 
this PR, since I could just implement it downstream as-needed. However, I chose 
to push it upstream because a) it's trivial and non-invasive and b) it 
establishes a use-case of _format_option_with_args for posterity, just in case 
anybody came in later and saw such a trivial, "private" (underscore-prefixed) 
method and decided to inline it.

This lack of perceived stability is alluded to in 
https://bugs.python.org/issue42966. My preferred solution would be to refactor 
HelpFormatter to have more overridable methods like this, make them 
non-"private", document them properly, and keep them relatively stable. In 
order to do that, we'd want to establish all the desired use-cases and be sure 
to craft the method structure in such a way that they're all supported. Since 
that would be a somewhat daunting design task and probably not high on the 
priority list atm, I think this small incremental improvement pushes things in 
the right direction; establishing a desirable use-case without committing to 
too many implementation details yet.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42606] Support POSIX atomicity guarantee of O_APPEND on Windows

[Eryk Sun]

Eryk Sun  added the comment:

> can a new handle have non-default access rights? Or can the 
> default change at this point of Windows history?

I don't know what you mean by default access rights.

C open() requests generic access rights, which map to the standard and 
file-specific rights in the File type's generic mapping. If all of the 
requested access rights aren't granted, then the open fails with an access 
denied error. For example, if FILE_WRITE_DATA isn't granted, then open() can't 
open for appending. A direct CreateFileW() call can remove FILE_WRITE_DATA from 
the desired access.

DuplicateHandle() can always request the same or less access than the source 
handle. For some object types, it can perform an access check to get more 
access, but not for a File handle.

> Currently, the only way to achieve atomic append in Python on 
> Windows that I know is to use a custom opener that would call
> CreateFile() with the right arguments via ctypes/pywin32/etc.

An opener could also work like your PR via os.open(), msvcrt.get_osfhandle(), 
_winapi.GetFileType(), _winapi.DuplicateHandle(), os.close(), and 
msvcrt.open_osfhandle().

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42982] Update suggested number of iterations for pbkdf2_hmac()

[Illia Volochii]

Illia Volochii  added the comment:

I didn't find any. I think it is based on some benchmarks like `openssl speed 
sha`.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42995] Add PurePath.with_suffix_appended()

[Brendan Gerrity]

Change by Brendan Gerrity :


--
keywords: +patch
pull_requests: +23109
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24288

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42606] Support POSIX atomicity guarantee of O_APPEND on Windows

[Alexey Izbyshev]

Alexey Izbyshev  added the comment:

> I don't know what you mean by default access rights.

I meant the access rights of the handle created by _wopen(). In my PR I 
basically assume that _wopen() uses GENERIC_READ/GENERIC_WRITE access rights, 
but _wopen() doesn't have a contractual obligation to do exactly that AFAIU. 
For example, if it got some extra access rights, then my code would "drop" them 
while switching FILE_WRITE_DATA off.

> For example, if FILE_WRITE_DATA isn't granted, then open() can't open for 
> appending. A direct CreateFileW() call can remove FILE_WRITE_DATA from the 
> desired access.

Indeed, I haven't thought about it. Are you aware of a common scenario when a 
regular file allows appending but not writing?

But, at least, this is not a regression: currently open()/os.open() can't open 
such files for appending too.

> An opener could also work like your PR via os.open(), msvcrt.get_osfhandle(), 
> _winapi.GetFileType(), _winapi.DuplicateHandle(), os.close(), and 
> msvcrt.open_osfhandle().

True, but it still falls into "etc" category of "ctypes/pywin32/etc" :) 
Certainly doable, but it seems better to have consistent O_APPEND behavior 
across platforms out-of-the-box.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42996] hashlib documentation references an obsolete RFC 2898

[Illia Volochii]

New submission from Illia Volochii :

RFC 2898 mentioned in the "See also" section of hashlib documentation was 
superseded by RFC 8018.

https://docs.python.org/3/library/hashlib.html
https://www.ietf.org/rfc/rfc8018.txt

--
assignee: docs@python
components: Documentation
messages: 385457
nosy: docs@python, illia-v
priority: normal
severity: normal
status: open
title: hashlib documentation references an obsolete RFC 2898

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42996] hashlib documentation references an obsolete RFC 2898

[Illia Volochii]

Change by Illia Volochii :


--
keywords: +patch
pull_requests: +23110
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24289

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39950] Add pathlib.Path.hardlink_to()

[Barney Gale]

Barney Gale  added the comment:

Makes sense to me. Should I leave the documentation for `link_to` completely 
alone? With the addition of a similar function, I wonder if that may in itself 
cause confusion.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42985] AMD64 Arch Linux Asan 3.x fails: command timed out: 1200 seconds without output

[STINNER Victor]

STINNER Victor  added the comment:

> Both sound reasonable. But not sure if they will resolve this crash tough.

Many tests do crash *on purpose*. Example on test_concurrent_futures.py:

def _crash(delay=None):
"""Induces a segfault."""
if delay:
time.sleep(delay)
import faulthandler
faulthandler.disable()
faulthandler._sigsegv()

Internally, faulthandler._sigsegv() disables crash reports.

There is also test.support.SuppressCrashReport context manager to disable crash 
reports. But I failed to find a way to disable ASAN signal handler at runtime.

It's possible to disable the ASAN signal handler at runtime using 
signal.signal(SIGSEGV, signal.SIG_DFT), but that should be done before Python 
installs its own signal handler for that, like before calling 
faulthandler.enable(). It would require to inject code in test_faulthandler to 
restore the default handler *before* calling faulthandler.enable(). Right now, 
test_faulthandler is skipped on the ASAN buildbots.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42988] Information disclosure via pydoc -p: /getfile?key=path allows to read arbitrary file on the filesystem

[STINNER Victor]

STINNER Victor  added the comment:

> I'd suggest to print a big warning on the console, explaining that the web 
> server will potentially make all content accessible by the user visible to 
> anyone else on the same server.

I dislike this idea. If they are vulnerabilities, they should be fixed. Users 
usually have no idea what to do when seeing such warning.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31904] Python should support VxWorks RTOS

[STINNER Victor]

STINNER Victor  added the comment:


New changeset 5e45f1c8e7bc5f0ab8feba88b9b6e47066203a5c by pxinwr in branch 
'master':
bpo-31904: setup.py: fix cross-compilation on VxWorks (GH-24191)
https://github.com/python/cpython/commit/5e45f1c8e7bc5f0ab8feba88b9b6e47066203a5c


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42780] os.set_inheritable() fails for O_PATH file descriptors on Linux

[STINNER Victor]

STINNER Victor  added the comment:

> No problem! I've noticed at least one other (relatively minor) issue in `os`, 
> so I may be submitting further bug reports.

Please do. But I suggest to open new issues.

> I haven't been keeping close track of 3.6/3.7's status, so I added them in 
> without thinking it. Thanks for the reminder.

Don't worry (be happy). Everybody is confused by the Versions field.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42997] Improve error message for missing : before suites

[Pablo Galindo Salgado]

New submission from Pablo Galindo Salgado :

Instead of displaying a generic syntax error:

Python 3.8.6 (default, Oct 10 2020, 18:31:21)
[GCC 10.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> for x in range
  File "", line 1
for x in range
 ^
SyntaxError: invalid syntax
>>>

we could display:

>>> for x in range
  File "", line 1
for x in range
  ^
SyntaxError: expected ':'

The same idea applies for every suite that has a missing ':'

--
messages: 385463
nosy: pablogsal
priority: normal
severity: normal
status: open
title: Improve error message for missing : before suites
versions: Python 3.10

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42384] Inconsistent sys.path between python and pdb

[miss-islington]

Change by miss-islington :


--
nosy: +miss-islington
nosy_count: 1.0 -> 2.0
pull_requests: +23111
pull_request: https://github.com/python/cpython/pull/24290

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42384] Inconsistent sys.path between python and pdb

[miss-islington]

Change by miss-islington :


--
pull_requests: +23112
pull_request: https://github.com/python/cpython/pull/24291

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42384] Inconsistent sys.path between python and pdb

[miss-islington]

miss-islington  added the comment:


New changeset 8603dfb4219989644601f6ede75b57e82648cd4e by Andrey Bienkowski in 
branch 'master':
bpo-42384: pdb: correctly populate sys.path[0] (GH-23338)
https://github.com/python/cpython/commit/8603dfb4219989644601f6ede75b57e82648cd4e


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42997] Improve error message for missing : before suites

[Pablo Galindo Salgado]

Change by Pablo Galindo Salgado :


--
nosy: +lys.nikolaou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42997] Improve error message for missing : before suites

[Pablo Galindo Salgado]

Change by Pablo Galindo Salgado :


--
keywords: +patch
pull_requests: +23113
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24292

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42997] Improve error message for missing : before suites

[Pablo Galindo Salgado]

Pablo Galindo Salgado  added the comment:

There are several ways to implement this:

In PR24292 I implemented this idea by adding a new element to the grammar: 
'&&'. This allows to hard-expect a token: if the token is not there the parsing 
hard-fails immediately without trying anything else and displays an appropriate 
error message

The other possibility if we think that PR24292 is overkill is manually adding 
an "invalid_wathever" for every possible compound statement option that parses 
the statement with a !':' and then raises appropriately. This option is more 
verbose in the grammar but requires no new machinery.

--
stage: patch review -> 

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42997] Improve error message for missing : before suites

[Pablo Galindo Salgado]

Change by Pablo Galindo Salgado :


--
nosy: +gvanrossum

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue41928] ZipFile does not supports Unicode Path Extra Field (0x7075) zip header field

[Andrea Giudiceandrea]

Andrea Giudiceandrea  added the comment:

I submitted more than a month ago a PR that adds support for Unicode Path Extra 
Field in ZipFile.
The PR https://github.com/python/cpython/pull/23736 is awaiting a review in 
order to be merged.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42990] Improve the C code for calling Python code

[Guido van Rossum]

Change by Guido van Rossum :


--
nosy: +brett.cannon, petr.viktorin, rhettinger, serhiy.storchaka, vstinner, 
yselivanov

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42997] Improve error message for missing : before suites

[Pablo Galindo Salgado]

Change by Pablo Galindo Salgado :


--
pull_requests: +23115
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/24293

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com