Steve Dower added the comment:
Sorry, I take that back. Earlier versions would indeed skip initialization in
some cases.
I propose we deprecate the dll_path field in PathConfig and just get the path
directly in the three places it's necessary. The path calculations have
security exp
New submission from Steve Dower :
Because of when _Py_ClearAuditHooks is called during finalization, it is
possible that __del__ destructors will be called after hooks have been cleared.
Audit events that would be raised here are dropped.
We should ensure these events are received by any
New submission from Steve Dower :
These tests rely on MSVC to do some building, but Windows ARM devices do not
currently have a compiler toolset (you need to cross-compile).
We should skip these tests.
Sample build: https://buildbot.python.org/all/#/builders/182/builds/773
Sample traceback
New submission from Steve Dower :
Sample build: https://buildbot.python.org/all/#/builders/182/builds/773
The second last step is failing for some reason, probably because it doesn't
have the file it needs.
--
components: Build, Windows
messages: 372700
nosy: paul.moore, steve.
Steve Dower added the comment:
I like using the existing event for unmarshalling code objects, assuming we
have all the arguments available.
I'm not sure whether it's worth auditing all marshal.load() calls (just as we
don't audit all pickle.load() calls). But depending on th
Steve Dower added the comment:
Actually, a quick search of codeobject.c and a look at tkmk's PR makes it seem
like the audit event should be being raised from inside
PyCode_NewWithPosOnlyArgs anyway (which IIRC didn't exist when I first added
the event, though it was probably th
Steve Dower added the comment:
This is by (Windows's) design - separate apps are treated as separate by the
Windows app model. In the latest and N-1 updates to Windows, the AppData
redirection only applies to newly created files, not those that already exist.
[1] Before then, it used
Steve Dower added the comment:
As an aside, virtual environments will have the same redirection as the base
interpreter, so this is really only an issue between a 3.7 install and a 3.8
install, or a Store install and a traditional install
Steve Dower added the comment:
PR 21222 (with test updates) is a good fix, though we know there can still be
arbitrary code executed afterwards. But it's not in a place where we can
reliably hook.
Probably the best thing to do is to make sure that events are raised for
anything that
Steve Dower added the comment:
> A crude workaround is to script PowerShell or CMD in a child process.
I mean, that's not a *terrible* workaround:
>>> import os
>>> p1 = os.path.expandvars("%APPDATA%\\test.txt")
>>> p1
'C:\\Users\\steve\\A
Change by Steve Dower :
--
assignee: -> steve.dower
___
Python tracker
<https://bugs.python.org/issue29778>
___
___
Python-bugs-list mailing list
Unsubscrib
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20446
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/21297
___
Python tracker
<https://bugs.python.org/issu
Change by Steve Dower :
--
pull_requests: +20447
pull_request: https://github.com/python/cpython/pull/21298
___
Python tracker
<https://bugs.python.org/issue29
Steve Dower added the comment:
Ah, you're right. Thanks for double checking me :)
I'll merge the PR and do the backports. Thanks!
--
___
Python tracker
<https://bugs.python.o
Steve Dower added the comment:
New changeset d160e0f8e283d0a8737644588b38e8c6a07c134f by tkmikan in branch
'master':
bpo-41180: Audit code.__new__ when unmarshalling (GH-21271)
https://github.com/python/cpython/commit/d160e0f8e283d0a8737644588b38e8
Steve Dower added the comment:
New changeset daa0fe03a517d335d48e65ace8e5da636e265a8f by Konge in branch
'master':
bpo-41162: Clear audit hooks later during finalization (GH-21222)
https://github.com/python/cpython/commit/daa0fe03a517d335d48e65ace8e5da
Change by Steve Dower :
--
pull_requests: +20451
pull_request: https://github.com/python/cpython/pull/21302
___
Python tracker
<https://bugs.python.org/issue41
Steve Dower added the comment:
Bumping to release blocker and adding RMs. Should definitely get this fix
merged within the next week, and I don't want the next round of releases to go
out without it.
--
nosy: +lukasz.langa, ned.deily
priority: normal -> release blocker
Steve Dower added the comment:
New changeset e1d4fdc53347617bea1aff0d7112471453f65003 by Steve Dower in branch
'3.9':
bpo-41162: Clear audit hooks later during finalization (GH-21222)
https://github.com/python/cpython/commit/e1d4fdc53347617bea1aff0d711247
Steve Dower added the comment:
Maybe we need to add a page for "undocumented" events? I really don't want to
document the _ctypes or _winapi modules - those should remain internal-only.
Maybe we can add a section to the end of the audit_events.rst file for "other
events
Change by Steve Dower :
--
pull_requests: +20452
pull_request: https://github.com/python/cpython/pull/21303
___
Python tracker
<https://bugs.python.org/issue41
Change by Steve Dower :
--
nosy: +steve.dower
nosy_count: 3.0 -> 4.0
pull_requests: +20453
pull_request: https://github.com/python/cpython/pull/21304
___
Python tracker
<https://bugs.python.org/issu
Change by Steve Dower :
--
pull_requests: -20453
___
Python tracker
<https://bugs.python.org/issue21222>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Steve Dower :
--
nosy: -steve.dower
___
Python tracker
<https://bugs.python.org/issue21222>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Steve Dower :
--
pull_requests: +20454
pull_request: https://github.com/python/cpython/pull/21304
___
Python tracker
<https://bugs.python.org/issue29
Change by Steve Dower :
--
pull_requests: +20456
pull_request: https://github.com/python/cpython/pull/21304
___
Python tracker
<https://bugs.python.org/issue41
Change by Steve Dower :
--
nosy: +steve.dower
nosy_count: 3.0 -> 4.0
pull_requests: +20455
pull_request: https://github.com/python/cpython/pull/21304
___
Python tracker
<https://bugs.python.org/issu
Change by Steve Dower :
--
pull_requests: -20454
___
Python tracker
<https://bugs.python.org/issue29778>
___
___
Python-bugs-list mailing list
Unsubscribe:
Steve Dower added the comment:
New changeset 941117aaa32bf8b02c739ad848ac727292f75b05 by Steve Dower in branch
'3.9':
bpo-21222: Fix improperly merged change so that final hooks are called before
types are cleared (GH-21304)
https://github.com/python/cpyt
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20457
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/21305
___
Python tracker
<https://bugs.python.org/issu
Steve Dower added the comment:
New changeset b9e288cc1bfd583e887f784e38d9c511b43c0c3a by Steve Dower in branch
'3.8':
bpo-41162: Clear audit hooks later during finalization (GH-21222)
https://github.com/python/cpython/commit/b9e288cc1bfd583e887f784e38d9c5
Steve Dower added the comment:
New changeset dcbaa1b49cd9062fb9ba2b9d49555ac6cd8c60b5 by Steve Dower in branch
'master':
bpo-29778: Ensure python3.dll is loaded from correct locations when Python is
embedded (GH-21297)
https://github.com/python/cpyt
Change by Steve Dower :
--
pull_requests: +20500
pull_request: https://github.com/python/cpython/pull/21354
___
Python tracker
<https://bugs.python.org/issue29
Steve Dower added the comment:
Fixes are in. Also adding the CVE number to the bug title.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
title: _Py_CheckPython3 uses uninitialized dllpath when embedder sets module
path with Py_SetPath -&g
Steve Dower added the comment:
Merged the initial fix, but we now need to find any exploitable paths that
remain.
Considering how late in finalization they now run, they're very unlikely to
succeed at doing anything interesting. However, they'd also qualify as bugs
(potential
Steve Dower added the comment:
Announcement post:
https://mail.python.org/archives/list/security-annou...@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/
CVE-2020-15523 is an invalid search path in Python 3.6 and later on
Windows. It occurs during Py_Initialize() when the runtime
Change by Steve Dower :
--
components: -Windows
nosy: -steve.dower
___
Python tracker
<https://bugs.python.org/issue35786>
___
___
Python-bugs-list mailin
Steve Dower added the comment:
> Python 3.5 is also vulnerable, no? This branch still gets security fixes, do
> you plan to backport the fix?
You're right. I thought because the backport tag was gone on GitHub that it was
EOL already.
I can do the backport.
--
n
Change by Steve Dower :
--
pull_requests: +20520
pull_request: https://github.com/python/cpython/pull/21377
___
Python tracker
<https://bugs.python.org/issue29
Steve Dower added the comment:
New changeset 10772ec1505a4583d662c051e577eb2d4fb6e755 by Steve Dower in branch
'master':
bpo-41173: Copy test results file from ARM worker before uploading (GH-21305)
https://github.com/python/cpython/commit/10772ec1505a4583d662c051e577eb
Change by Steve Dower :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20549
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/21400
___
Python tracker
<https://bugs.python.org/issu
Steve Dower added the comment:
New changeset af56c4fc76ac39ce76d649d7bebf7f78c1add4fa by Steve Dower in branch
'master':
bpo-41172: Fix check for compiler in test suite (GH-21400)
https://github.com/python/cpython/commit/af56c4fc76ac39ce76d649d7bebf7f
Change by Steve Dower :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Steve Dower added the comment:
Deprecating in 3.10 is fine - everyone who needs to know about it releases
whenever they like anyway, so we just need to make _some_ announcement.
I'd propose either moving it to Tools/distutils, or renaming it to _distutils.
The point is that we'
Steve Dower added the comment:
Correction: the original discovery credit goes to Eran Shimony
and Ido Hoorvitch
from CyberArk.
--
___
Python tracker
<https://bugs.python.org/issue29
Steve Dower added the comment:
The Windows build doesn't depend on distutils at all. We've had dedicated build
scripts for each module since before I started contributing.
--
___
Python tracker
<https://bugs.python.o
Steve Dower added the comment:
Thanks, this is a regression.
https://github.com/python/cpython/blob/master/PC/getpathp.c#L672 should be
inverted, as a zero return value indicates success.
--
keywords: +3.8regression
versions: +Python 3.10, Python 3.7, Python 3.9
Change by Steve Dower :
--
stage: -> test needed
type: -> security
___
Python tracker
<https://bugs.python.org/issue41304>
___
___
Python-bugs-list
Steve Dower added the comment:
At a guess, it's probably the signal emulation (a.k.a. Ctrl+C support). We
could save some time by checking the requested handle first without blocking,
and only beginning the blocking call if it's not
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20637
stage: test needed -> patch review
pull_request: https://github.com/python/cpython/pull/21495
___
Python tracker
<https://bugs.python.org/issu
New submission from Steve Dower :
When connecting to localhost, socket.connect() takes two seconds on Windows
(the default) to time out, but on Linux (including WSL) it times out
immediately.
Test code (assuming port has no listener):
>>> import socket
>>> socke
New submission from Steve Dower :
Spotted at
https://dev.azure.com/Python/cpython/_build/results?buildId=66387&view=logs&j=d554cd63-f8f4-5b2d-871b-33e4ea76e915&t=5a14d0eb-dbd4-5b80-f5d0-7909f950a1cc&l=1859
test_empty_input (test.test_asyncio.test_subprocess.SubprocessProact
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20638
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/21495
___
Python tracker
<https://bugs.python.org/issu
Steve Dower added the comment:
New changeset 936a66094591dc0e67d4a60c170148bb700ec016 by Steve Dower in branch
'master':
bpo-41304: Ensure python3x._pth is loaded on Windows (GH-21495)
https://github.com/python/cpython/commit/936a66094591dc0e67d4a60c170148
Change by Steve Dower :
--
pull_requests: +20641
pull_request: https://github.com/python/cpython/pull/21499
___
Python tracker
<https://bugs.python.org/issue41
Change by Steve Dower :
--
title: test_subprocess timing out randomly on Windows ->
test_subprocess.test_pause_reading timing out randomly on Windows
___
Python tracker
<https://bugs.python.org/issu
Steve Dower added the comment:
FYI, issue41304 fixed a regression in this patch in 3.7 and later. The
regression shipped in 3.8.4 and 3.9.0b4, but will be fixed in the subsequent
releases.
--
___
Python tracker
<https://bugs.python.
Steve Dower added the comment:
For clarity, this was caused by the fix for issue29778, and was only released
in 3.8.4 and 3.9.0b4. No other versions had a release before the fix was merged.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -&g
Steve Dower added the comment:
This is now assigned CVE-2020-15801
--
title: python 38 embed ignore python38._pth file on windows -> [CVE-2020-15801]
python 38 embed ignore python38._pth file on windows
___
Python tracker
<https://bugs.pyth
Change by Steve Dower :
--
pull_requests: +20658
pull_request: https://github.com/python/cpython/pull/21521
___
Python tracker
<https://bugs.python.org/issue41
Steve Dower added the comment:
New changeset 79ed1a53fa44a1b74e3c24c9d5f698abd9610921 by Miss Islington (bot)
in branch '3.8':
bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521)
https://github.com/python/cpython/commit/79ed1a53fa44a1b74e3c24c9d5f698
Steve Dower added the comment:
New changeset a16ac4e43c8ed15bf2fca52df3a0a5de26ad2705 by Miss Islington (bot)
in branch '3.9':
bpo-41304: Update NEWS to include CVE-2020-15801 reference (GH-21521)
https://github.com/python/cpython/commit/a16ac4e43c8ed15bf2fca52df3a0a5
Steve Dower added the comment:
It already returns a non-zero exit code (should be (IIRC) 9009 to match the
built-in cmd.exe result), and I've been trying to get the message added for at
least a year now.
Unfortunately, I can only push it so far before it has to work through the
Wi
Steve Dower added the comment:
It's already gone through the correct channels, so any other submissions will
be duped by the triagers.
The best person to post at is me, but I've suffered enough for it :) I'm
pushing.
--
___
Steve Dower added the comment:
I wonder whether we should be more specific about the shells that shlex works
for? Since WSL makes *sh (Bash, Dash, Sh, etc.) easily available on Windows,
and I believe PowerShell on Linux keeps its own quoting rules
Steve Dower added the comment:
> Python-3.8.4rc1 and Python-3.9.0b4 are still with SQLite-3.31.1.
Someone still had to send a PR to update the main build. It's not automatic,
otherwise you wouldn't be able to reproduce older builds.
I'll do it now. It'll
Change by Steve Dower :
--
pull_requests: +20713
pull_request: https://github.com/python/cpython/pull/21570
___
Python tracker
<https://bugs.python.org/issue40
Steve Dower added the comment:
New changeset 84761c3cc4bac31d471e371c53a338686d4b0241 by Steve Dower in branch
'master':
bpo-40741: Update Windows build to include SQLite 3.32.3 (GH-21570)
https://github.com/python/cpython/commit/84761c3cc4bac31d471e371c53a338
Steve Dower added the comment:
Closing this one now.
Let's use a new issue next time there's a need to update SQLite.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<h
Steve Dower added the comment:
> Windows 10 has a "Feedback Hub" to report problems and search for existing
> feedback that's similar.
This is the correct channel, but ultimately the "real" issue tracker is
private, so all you'll ever get is &quo
New submission from Steve Dower :
The uuid module calls platform.system() multiple times, even when the result is
known from sys.platform. We can avoid some of these.
--
assignee: steve.dower
components: Library (Lib)
messages: 374079
nosy: steve.dower
priority: normal
severity
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20726
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/21586
___
Python tracker
<https://bugs.python.org/issu
Steve Dower added the comment:
New changeset bf2f76ec0976c09de79c8827764f30e3b6fba776 by Steve Dower in branch
'master':
bpo-41364: Reduce import overhead of uuid module (GH-21586)
https://github.com/python/cpython/commit/bf2f76ec0976c09de79c8827764f30
Change by Steve Dower :
--
pull_requests: +20730
pull_request: https://github.com/python/cpython/pull/21591
___
Python tracker
<https://bugs.python.org/issue41
Steve Dower added the comment:
New changeset a18f22ab11a7bfb5ff3e74c737ca9e1bebe4abf9 by Steve Dower in branch
'3.8':
bpo-41364: Reduce import overhead of uuid module (GH-21586)
https://github.com/python/cpython/commit/a18f22ab11a7bfb5ff3e74c737ca9e
Change by Steve Dower :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Steve Dower added the comment:
It seems like you're trying to launch the python.exe that is created for a
virtual environment rather than the actual one. This probably means that at
some point you created a virtual environment and updated your file association
to launch it.
The best
Steve Dower added the comment:
> it fails with this error means you're running a virtual-environment launcher
> instead of a base Python executable.
Exactly. It sounds like you probably searched for pythonw.exe and found the one
in Lib/venv/scripts/nt instead of the actual one.
Steve Dower added the comment:
I thought we already made it fail? (Checks) No we did not. Guess I
misremembered that.
I'll fix this tomorrow. We need it, or else we'll be inundated with these
reports for the entire life of 3.9.
--
assignee: -> steve.dower
pri
Steve Dower added the comment:
Assuming it fits, I'm going to update the 3.9+ post-install message to this
(assume the HTML renders normally). Any comments?
New to Python? Start with the <a
href="https://docs.python.org/[ShortVersion]/tutorial/index.html">online
tuto
Steve Dower added the comment:
Added a screenshot, after tweaking the spacing just a little.
--
Added file: https://bugs.python.org/file49343/postinstall.png
___
Python tracker
<https://bugs.python.org/issue40
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20799
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/21656
___
Python tracker
<https://bugs.python.org/issu
Change by Steve Dower :
--
pull_requests: -20800
___
Python tracker
<https://bugs.python.org/issue40947>
___
___
Python-bugs-list mailing list
Unsubscribe:
Change by Steve Dower :
--
nosy: +steve.dower
nosy_count: 2.0 -> 3.0
pull_requests: +20800
pull_request: https://github.com/python/cpython/pull/21656
___
Python tracker
<https://bugs.python.org/issu
Change by Steve Dower :
--
keywords: +patch
pull_requests: +20801
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/21656
___
Python tracker
<https://bugs.python.org/issu
Change by Steve Dower :
--
nosy: -steve.dower
___
Python tracker
<https://bugs.python.org/issue40947>
___
___
Python-bugs-list mailing list
Unsubscribe:
Steve Dower added the comment:
I changed the middle paragraph to this:
See <a
href="https://docs.python.org/[ShortVersion]/whatsnew/[ShortVersion].html">what's
new</a> in this release, or find more info about <a
href="https://docs.python.org/[ShortVersion
Steve Dower added the comment:
New changeset 37a06cbe5c17c2aa6ad938339fd42531a8a0bea0 by Steve Dower in branch
'master':
bpo-41412 and bpo-40948: Windows installer updates (GH-21656)
https://github.com/python/cpython/commit/37a06cbe5c17c2aa6ad938339fd425
Steve Dower added the comment:
New changeset 37a06cbe5c17c2aa6ad938339fd42531a8a0bea0 by Steve Dower in branch
'master':
bpo-41412 and bpo-40948: Windows installer updates (GH-21656)
https://github.com/python/cpython/commit/37a06cbe5c17c2aa6ad938339fd425
Steve Dower added the comment:
Leaving this open until we can validate on the next release. I don't have
convenient access to old versions of Windows anymore (and don't have time to
deal with inconvenient access this week).
--
priority: release blocker -> deferred
Change by Steve Dower :
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Steve Dower added the comment:
I just started running into a failure that looks like this on some private
builds (Xcode_11.3.1 on macOS-10.14.6-x86_64-i386-64bit):
==
FAIL: test_setsid (test.test_posix.TestPosixSpawnP
Steve Dower added the comment:
At a glance, it looks like ENTER_PYTHON will *restore* the GIL on the current
thread, but it may be coming in on a thread that's never seen the GIL before.
"The GIL" is actually the Python thread state, which is actually a per-thread
data s
Steve Dower added the comment:
It might help, but it will leave your install broken in a number of other ways.
For other people finding this issue, please share your install logs (look in
%TEMP% for the most recently created set of "python*.log" files). Also share
your PATH, PYTH
Change by Steve Dower :
--
components: +Installation
___
Python tracker
<https://bugs.python.org/issue40395>
___
___
Python-bugs-list mailing list
Unsubscribe:
Steve Dower added the comment:
Yes, if you use -E then you need to provide the dependencies in some other way.
The option is there to suppress network access at build time, not to build
without those modules.
--
___
Python tracker
<ht
Steve Dower added the comment:
Oh great, it's one of these style changes :)
You probably want to define some macros for those barriers so the added
optional nesting doesn't come back to bite us later.
Otherwise, best of luck! Let me know if I can help out (for now I'm jus
Steve Dower added the comment:
As Eryk says, the defaults include the "py" launcher, which is now recommended
at the end of installation. Python is also available from the Start
menu/screen, and PEP 514 allows other tools to reliably detect and offer Python
installs.
Modifying P
New submission from Steve Dower :
I'm doing the PR now, based on the latest versions available today:
https://pypi.org/project/pip/20.2.1/
https://pypi.org/project/setuptools/49.2.1/
If you're a maintainer and there's a reason to not update to to the latest,
please let me kn
2101 - 2200 of 5794 matches
Mail list logo
