Skip to content

Commit

Permalink
[3.12] pythongh-100734: What's New in 3.x: Add missing detail from 3.…
Browse files Browse the repository at this point in the history
…x branch (pythonGH-114689) (python#115526)

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
  • Loading branch information
miss-islington and hugovk authored Feb 15, 2024
1 parent 9bc32cd commit f383ca1
Show file tree
Hide file tree
Showing 7 changed files with 325 additions and 0 deletions.
36 changes: 36 additions & 0 deletions Doc/whatsnew/2.6.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2992,6 +2992,33 @@ Changes to Python's build process and to the C API include:
architectures (x86, PowerPC), 64-bit (x86-64 and PPC-64), or both.
(Contributed by Ronald Oussoren.)

* A new function added in Python 2.6.6, :c:func:`!PySys_SetArgvEx`, sets
the value of ``sys.argv`` and can optionally update ``sys.path`` to
include the directory containing the script named by ``sys.argv[0]``
depending on the value of an *updatepath* parameter.

This function was added to close a security hole for applications
that embed Python. The old function, :c:func:`!PySys_SetArgv`, would
always update ``sys.path``, and sometimes it would add the current
directory. This meant that, if you ran an application embedding
Python in a directory controlled by someone else, attackers could
put a Trojan-horse module in the directory (say, a file named
:file:`os.py`) that your application would then import and run.

If you maintain a C/C++ application that embeds Python, check
whether you're calling :c:func:`!PySys_SetArgv` and carefully consider
whether the application should be using :c:func:`!PySys_SetArgvEx`
with *updatepath* set to false. Note that using this function will
break compatibility with Python versions 2.6.5 and earlier; if you
have to continue working with earlier versions, you can leave
the call to :c:func:`!PySys_SetArgv` alone and call
``PyRun_SimpleString("sys.path.pop(0)\n")`` afterwards to discard
the first ``sys.path`` component.

Security issue reported as `CVE-2008-5983
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5983>`_;
discussed in :gh:`50003`, and fixed by Antoine Pitrou.

* The BerkeleyDB module now has a C API object, available as
``bsddb.db.api``. This object can be used by other C extensions
that wish to use the :mod:`bsddb` module for their own purposes.
Expand Down Expand Up @@ -3294,6 +3321,15 @@ that may require changes to your code:
scoping rules, also cause warnings because such comparisons are forbidden
entirely in 3.0.

For applications that embed Python:

* The :c:func:`!PySys_SetArgvEx` function was added in Python 2.6.6,
letting applications close a security hole when the existing
:c:func:`!PySys_SetArgv` function was used. Check whether you're
calling :c:func:`!PySys_SetArgv` and carefully consider whether the
application should be using :c:func:`!PySys_SetArgvEx` with
*updatepath* set to false.

.. ======================================================================
Expand Down
22 changes: 22 additions & 0 deletions Doc/whatsnew/3.1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,28 @@ Support was also added for third-party tools like `PyYAML <https://pyyaml.org/>`
PEP written by Armin Ronacher and Raymond Hettinger. Implementation
written by Raymond Hettinger.

Since an ordered dictionary remembers its insertion order, it can be used
in conjuction with sorting to make a sorted dictionary::

>>> # regular unsorted dictionary
>>> d = {'banana': 3, 'apple':4, 'pear': 1, 'orange': 2}

>>> # dictionary sorted by key
>>> OrderedDict(sorted(d.items(), key=lambda t: t[0]))
OrderedDict([('apple', 4), ('banana', 3), ('orange', 2), ('pear', 1)])

>>> # dictionary sorted by value
>>> OrderedDict(sorted(d.items(), key=lambda t: t[1]))
OrderedDict([('pear', 1), ('orange', 2), ('banana', 3), ('apple', 4)])

>>> # dictionary sorted by length of the key string
>>> OrderedDict(sorted(d.items(), key=lambda t: len(t[0])))
OrderedDict([('pear', 1), ('apple', 4), ('orange', 2), ('banana', 3)])

The new sorted dictionaries maintain their sort order when entries
are deleted. But when new keys are added, the keys are appended
to the end and the sort is not maintained.


PEP 378: Format Specifier for Thousands Separator
=================================================
Expand Down
47 changes: 47 additions & 0 deletions Doc/whatsnew/3.10.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1517,6 +1517,13 @@ functions internally. For more details, please see their respective
documentation.
(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)
The presence of newline or tab characters in parts of a URL allows for some
forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
characters are controlled by a new module level variable
``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :gh:`88048`)
xml
---
Expand Down Expand Up @@ -2315,3 +2322,43 @@ Removed
* The ``PyThreadState.use_tracing`` member has been removed to optimize Python.
(Contributed by Mark Shannon in :issue:`43760`.)
Notable security feature in 3.10.7
==================================
Converting between :class:`int` and :class:`str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
now raises a :exc:`ValueError` if the number of digits in string form is
above a limit to avoid potential denial of service attacks due to the
algorithmic complexity. This is a mitigation for `CVE-2020-10735
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
This limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
length limitation <int_max_str_digits>` documentation. The default limit
is 4300 digits in string form.
Notable security feature in 3.10.8
==================================
The deprecated :mod:`!mailcap` module now refuses to inject unsafe text
(filenames, MIME types, parameters) into shell commands. Instead of using such
text, it will warn and act as if a match was not found (or for test commands,
as if the test failed).
(Contributed by Petr Viktorin in :gh:`98966`.)
Notable changes in 3.10.12
==========================
tarfile
-------
* The extraction methods in :mod:`tarfile`, and :func:`shutil.unpack_archive`,
have a new a *filter* argument that allows limiting tar features than may be
surprising or dangerous, such as creating files outside the destination
directory.
See :ref:`tarfile-extraction-filter` for details.
In Python 3.12, use without the *filter* argument will show a
:exc:`DeprecationWarning`.
In Python 3.14, the default will switch to ``'data'``.
(Contributed by Petr Viktorin in :pep:`706`.)
33 changes: 33 additions & 0 deletions Doc/whatsnew/3.6.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1472,6 +1472,10 @@ Server and client-side specific TLS protocols for :class:`~ssl.SSLContext`
were added.
(Contributed by Christian Heimes in :issue:`28085`.)

Added :attr:`ssl.SSLContext.post_handshake_auth` to enable and
:meth:`ssl.SSLSocket.verify_client_post_handshake` to initiate TLS 1.3
post-handshake authentication.
(Contributed by Christian Heimes in :gh:`78851`.)

statistics
----------
Expand Down Expand Up @@ -2063,6 +2067,15 @@ connected to and thus what Python interpreter will be used by the virtual
environment. (Contributed by Brett Cannon in :issue:`25154`.)


xml
---

* As mitigation against DTD and external entity retrieval, the
:mod:`xml.dom.minidom` and :mod:`xml.sax` modules no longer process
external entities by default.
(Contributed by Christian Heimes in :gh:`61441`.)


Deprecated functions and types of the C API
-------------------------------------------

Expand Down Expand Up @@ -2430,9 +2443,13 @@ The :func:`locale.localeconv` function now sets temporarily the ``LC_CTYPE``
locale to the ``LC_NUMERIC`` locale in some cases.
(Contributed by Victor Stinner in :issue:`31900`.)


Notable changes in Python 3.6.7
===============================

:mod:`xml.dom.minidom` and :mod:`xml.sax` modules no longer process
external entities by default. See also :gh:`61441`.

In 3.6.7 the :mod:`tokenize` module now implicitly emits a ``NEWLINE`` token
when provided with input that does not have a trailing new line. This behavior
now matches what the C tokenizer does internally.
Expand Down Expand Up @@ -2460,3 +2477,19 @@ separator key, with ``&`` as the default. This change also affects
functions internally. For more details, please see their respective
documentation.
(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)

Notable changes in Python 3.6.14
================================

A security fix alters the :class:`ftplib.FTP` behavior to not trust the
IPv4 address sent from the remote server when setting up a passive data
channel. We reuse the ftp server IP address instead. For unusual code
requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
attribute on your FTP instance to ``True``. (See :gh:`87451`)

The presence of newline or tab characters in parts of a URL allows for some
forms of attacks. Following the WHATWG specification that updates RFC 3986,
ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
URL by the parser :func:`urllib.parse` preventing such attacks. The removal
characters are controlled by a new module level variable
``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :gh:`88048`)
44 changes: 44 additions & 0 deletions Doc/whatsnew/3.7.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1380,6 +1380,10 @@ Supported protocols are indicated by several new flags, such as
:data:`~ssl.HAS_TLSv1_1`.
(Contributed by Christian Heimes in :issue:`32609`.)

Added :attr:`ssl.SSLContext.post_handshake_auth` to enable and
:meth:`ssl.SSLSocket.verify_client_post_handshake` to initiate TLS 1.3
post-handshake authentication.
(Contributed by Christian Heimes in :gh:`78851`.)

string
------
Expand Down Expand Up @@ -1599,6 +1603,15 @@ at the interactive prompt. See :ref:`whatsnew37-pep565` for details.
(Contributed by Nick Coghlan in :issue:`31975`.)


xml
---

As mitigation against DTD and external entity retrieval, the
:mod:`xml.dom.minidom` and :mod:`xml.sax` modules no longer process
external entities by default.
(Contributed by Christian Heimes in :gh:`61441`.)


xml.etree
---------

Expand Down Expand Up @@ -2571,3 +2584,34 @@ separator key, with ``&`` as the default. This change also affects
functions internally. For more details, please see their respective
documentation.
(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)

Notable changes in Python 3.7.11
================================

A security fix alters the :class:`ftplib.FTP` behavior to not trust the
IPv4 address sent from the remote server when setting up a passive data
channel. We reuse the ftp server IP address instead. For unusual code
requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
attribute on your FTP instance to ``True``. (See :gh:`87451`)


The presence of newline or tab characters in parts of a URL allows for some
forms of attacks. Following the WHATWG specification that updates RFC 3986,
ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
URL by the parser :func:`urllib.parse` preventing such attacks. The removal
characters are controlled by a new module level variable
``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :gh:`88048`)

Notable security feature in 3.7.14
==================================

Converting between :class:`int` and :class:`str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
now raises a :exc:`ValueError` if the number of digits in string form is
above a limit to avoid potential denial of service attacks due to the
algorithmic complexity. This is a mitigation for `CVE-2020-10735
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
This limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
length limitation <int_max_str_digits>` documentation. The default limit
is 4300 digits in string form.
91 changes: 91 additions & 0 deletions Doc/whatsnew/3.8.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2243,6 +2243,21 @@ details, see the documentation for ``loop.create_datagram_endpoint()``.
(Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in
:issue:`37228`.)

Notable changes in Python 3.8.2
===============================

Fixed a regression with the ``ignore`` callback of :func:`shutil.copytree`.
The argument types are now str and List[str] again.
(Contributed by Manuel Barkhau and Giampaolo Rodola in :gh:`83571`.)

Notable changes in Python 3.8.3
===============================

The constant values of future flags in the :mod:`__future__` module
are updated in order to prevent collision with compiler flags. Previously
``PyCF_ALLOW_TOP_LEVEL_AWAIT`` was clashing with ``CO_FUTURE_DIVISION``.
(Contributed by Batuhan Taskaya in :gh:`83743`)

Notable changes in Python 3.8.8
===============================

Expand All @@ -2256,9 +2271,55 @@ functions internally. For more details, please see their respective
documentation.
(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.)

Notable changes in Python 3.8.9
===============================

A security fix alters the :class:`ftplib.FTP` behavior to not trust the
IPv4 address sent from the remote server when setting up a passive data
channel. We reuse the ftp server IP address instead. For unusual code
requiring the old behavior, set a ``trust_server_pasv_ipv4_address``
attribute on your FTP instance to ``True``. (See :gh:`87451`)

Notable changes in Python 3.8.10
================================

macOS 11.0 (Big Sur) and Apple Silicon Mac support
--------------------------------------------------

As of 3.8.10, Python now supports building and running on macOS 11
(Big Sur) and on Apple Silicon Macs (based on the ``ARM64`` architecture).
A new universal build variant, ``universal2``, is now available to natively
support both ``ARM64`` and ``Intel 64`` in one set of executables.
Note that support for "weaklinking", building binaries targeted for newer
versions of macOS that will also run correctly on older versions by
testing at runtime for missing features, is not included in this backport
from Python 3.9; to support a range of macOS versions, continue to target
for and build on the oldest version in the range.

(Originally contributed by Ronald Oussoren and Lawrence D'Anna in :gh:`85272`,
with fixes by FX Coudert and Eli Rykoff, and backported to 3.8 by Maxime Bélanger
and Ned Deily)

Notable changes in Python 3.8.10
================================

urllib.parse
------------

The presence of newline or tab characters in parts of a URL allows for some
forms of attacks. Following the WHATWG specification that updates :rfc:`3986`,
ASCII newline ``\n``, ``\r`` and tab ``\t`` characters are stripped from the
URL by the parser in :mod:`urllib.parse` preventing such attacks. The removal
characters are controlled by a new module level variable
``urllib.parse._UNSAFE_URL_BYTES_TO_REMOVE``. (See :issue:`43882`)


Notable changes in Python 3.8.12
================================

Changes in the Python API
-------------------------

Starting with Python 3.8.12 the :mod:`ipaddress` module no longer accepts
any leading zeros in IPv4 address strings. Leading zeros are ambiguous and
interpreted as octal notation by some libraries. For example the legacy
Expand All @@ -2268,3 +2329,33 @@ any leading zeros.

(Originally contributed by Christian Heimes in :issue:`36384`, and backported
to 3.8 by Achraf Merzouki.)

Notable security feature in 3.8.14
==================================

Converting between :class:`int` and :class:`str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
now raises a :exc:`ValueError` if the number of digits in string form is
above a limit to avoid potential denial of service attacks due to the
algorithmic complexity. This is a mitigation for `CVE-2020-10735
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
This limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
length limitation <int_max_str_digits>` documentation. The default limit
is 4300 digits in string form.

Notable changes in 3.8.17
=========================

tarfile
-------

* The extraction methods in :mod:`tarfile`, and :func:`shutil.unpack_archive`,
have a new a *filter* argument that allows limiting tar features than may be
surprising or dangerous, such as creating files outside the destination
directory.
See :ref:`tarfile-extraction-filter` for details.
In Python 3.12, use without the *filter* argument will show a
:exc:`DeprecationWarning`.
In Python 3.14, the default will switch to ``'data'``.
(Contributed by Petr Viktorin in :pep:`706`.)
Loading

0 comments on commit f383ca1

Please sign in to comment.