Merge remote-tracking branch 'upstream/main' into fix-mimetypes-case-sensitive-add-type

yuanx749 · yuanx749 · commit 046dc952f3db · 2026-06-08T12:03:27.000+03:00
diff --git a/Doc/howto/functional.rst b/Doc/howto/functional.rst
@@ -1042,7 +1042,7 @@ first calculation. ::
     >>> functools.reduce(operator.concat, [])
     Traceback (most recent call last):
       ...
-    TypeError: reduce() of empty sequence with no initial value
+    TypeError: reduce() of empty iterable with no initial value
     >>> functools.reduce(operator.mul, [1, 2, 3], 1)
     6
     >>> functools.reduce(operator.mul, [], 1)
diff --git a/Doc/library/stdtypes.rst b/Doc/library/stdtypes.rst
@@ -2376,7 +2376,8 @@ expression support in the :mod:`re` module).
 
    Return a copy of the string with leading characters removed.  The *chars*
    argument is a string specifying the set of characters to be removed.  If omitted
-   or ``None``, the *chars* argument defaults to removing whitespace.  The *chars*
+   or ``None``, the *chars* argument defaults to removing whitespace, that is
+   characters for which :meth:`str.isspace` is true.  The *chars*
    argument is not a prefix; rather, all combinations of its values are stripped::
 
       >>> '   spacious   '.lstrip()
@@ -2579,7 +2580,8 @@ expression support in the :mod:`re` module).
 
    Return a copy of the string with trailing characters removed.  The *chars*
    argument is a string specifying the set of characters to be removed.  If omitted
-   or ``None``, the *chars* argument defaults to removing whitespace.  The *chars*
+   or ``None``, the *chars* argument defaults to removing whitespace, that is
+   characters for which :meth:`str.isspace` is true.  The *chars*
    argument is not a suffix; rather, all combinations of its values are stripped.
    For example:
 
@@ -2755,11 +2757,9 @@ expression support in the :mod:`re` module).
 
    Return a copy of the string with the leading and trailing characters removed.
    The *chars* argument is a string specifying the set of characters to be removed.
-   If omitted or ``None``, the *chars* argument defaults to removing whitespace.
-   The *chars* argument is not a prefix or suffix; rather, all combinations of its
-   values are stripped.
-
-   Whitespace characters are defined by :meth:`str.isspace`.
+   If omitted or ``None``, the *chars* argument defaults to removing whitespace,
+   that is characters for which :meth:`str.isspace` is true.  The *chars* argument
+   is not a prefix or suffix; rather, all combinations of its values are stripped.
 
    For example:
 
diff --git a/Lib/shutil.py b/Lib/shutil.py
@@ -1307,12 +1307,6 @@ def unregister_unpack_format(name):
     """Removes the pack format from the registry."""
     del _UNPACK_FORMATS[name]
 
-def _ensure_directory(path):
-    """Ensure that the parent directory of `path` exists"""
-    dirname = os.path.dirname(path)
-    if not os.path.isdir(dirname):
-        os.makedirs(dirname)
-
 def _unpack_zipfile(filename, extract_dir):
     """Unpack zip `filename` to `extract_dir`
     """
diff --git a/Lib/test/test_bz2.py b/Lib/test/test_bz2.py
@@ -1032,6 +1032,21 @@ def test_failure(self):
         # Previously, a second call could crash due to internal inconsistency
         self.assertRaises(Exception, bzd.decompress, self.BAD_DATA * 30)
 
+    def test_decompress_after_data_error(self):
+        data = bytes.fromhex(
+            "425a6839314159265359000000000000007fffff000000000000000000000000"
+            "00000000000000000000000000000000000000e0370000000000000000000000"
+            "000000000000000000000000000000000000000000000000000083f3"
+        )
+        bzd = BZ2Decompressor()
+        with self.assertRaisesRegex(OSError, "Invalid data stream"):
+            bzd.decompress(data)
+        # Previously, a second call could crash due to internal inconsistency
+        self.assertFalse(bzd.needs_input)
+        self.assertFalse(bzd.eof)
+        with self.assertRaisesRegex(ValueError, "previous error"):
+            bzd.decompress(b'\x00' * 18)
+
     @support.refcount_test
     def test_refleaks_in___init__(self):
         gettotalrefcount = support.get_attribute(sys, 'gettotalrefcount')
diff --git a/Lib/test/test_mmap.py b/Lib/test/test_mmap.py
@@ -354,6 +354,8 @@ def test_find_end(self):
         self.assertEqual(m.find(b'one', 1, -1), 8)
         self.assertEqual(m.find(b'one', 1, -2), -1)
         self.assertEqual(m.find(bytearray(b'one')), 0)
+        self.assertEqual(m.find(b'', n + 1), -1)
+        self.assertEqual(m.rfind(b'', n + 1), -1)
 
         for i in range(-n-1, n+1):
             for j in range(-n-1, n+1):
diff --git a/Lib/test/test_xmlrpc.py b/Lib/test/test_xmlrpc.py
@@ -208,6 +208,17 @@ def test_dump_encoding(self):
         self.assertEqual(xmlrpclib.loads(strg)[0][0], value)
         self.assertEqual(xmlrpclib.loads(strg)[1], methodname)
 
+    def test_dump_escape_methodname(self):
+        payload = 'foo</methodName><injected attr="evil"/><methodName>bar'
+        s = xmlrpclib.dumps((), methodname=payload)
+        self.assertIn(
+            '<methodName>foo&lt;/methodName&gt;&lt;injected attr="evil"/&gt;'
+            '&lt;methodName&gt;bar</methodName>', s
+        )
+        self.assertNotIn('<injected attr="evil"/>', s)
+        load, m = xmlrpclib.loads(s)
+        self.assertEqual(m, payload)
+
     def test_dump_bytes(self):
         sample = b"my dog has fleas"
         self.assertEqual(sample, xmlrpclib.Binary(sample))
diff --git a/Lib/xmlrpc/client.py b/Lib/xmlrpc/client.py
@@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, encoding=None,
         data = (
             xmlheader,
             "<methodCall>\n"
-            "<methodName>", methodname, "</methodName>\n",
+            "<methodName>", escape(methodname), "</methodName>\n",
             data,
             "</methodCall>\n"
             )
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2026-06-06-08-20-00.gh-issue-150942.Jk9pQr.rst b/Misc/NEWS.d/next/Core_and_Builtins/2026-06-06-08-20-00.gh-issue-150942.Jk9pQr.rst
@@ -0,0 +1,3 @@
+Speed up frame local variable item collection by appending result pairs to the
+output list without an extra reference-count round-trip (using the internal
+reference-stealing list append helper). Patch by Omkar Kabde.
diff --git a/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst b/Misc/NEWS.d/next/Library/2026-04-24-19-54-00.gh-issue-148954.v1.rst
@@ -0,0 +1 @@
+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname`` was not being escaped before interpolation into the XML body.
diff --git a/Misc/NEWS.d/next/Library/2026-05-31-12-00-00.gh-issue-150942.Re7Ref.rst b/Misc/NEWS.d/next/Library/2026-05-31-12-00-00.gh-issue-150942.Re7Ref.rst
@@ -0,0 +1,3 @@
+Speed up :func:`re.findall`, :func:`re.sub` and :func:`re.subn` by appending
+result items to the output list without an extra reference-count round-trip
+(using the internal reference-stealing list append helper).
diff --git a/Misc/NEWS.d/next/Library/2026-06-06-15-20-54.gh-issue-151021.J4qk2A.rst b/Misc/NEWS.d/next/Library/2026-06-06-15-20-54.gh-issue-151021.J4qk2A.rst
@@ -0,0 +1,3 @@
+Fix :meth:`mmap.mmap.find` and :meth:`~mmap.mmap.rfind` to return ``-1``
+when searching for an empty subsequence with a start position past the end
+of the mapping.
diff --git a/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst b/Misc/NEWS.d/next/Security/2026-05-30-09-36-20.gh-issue-150599.nlHqU-.rst
@@ -0,0 +1,3 @@
+Fix a possible stack buffer overflow in :mod:`bz2` when a
+:class:`bz2.BZ2Decompressor` is reused after a decompression error.
+The decompressor now becomes unusable after libbz2 reports an error.
diff --git a/Modules/_bz2module.c b/Modules/_bz2module.c
@@ -108,6 +108,7 @@ typedef struct {
 typedef struct {
     PyObject_HEAD
     bz_stream bzs;
+    int bzerror;
     char eof;           /* Py_T_BOOL expects a char */
     PyObject *unused_data;
     char needs_input;
@@ -435,8 +436,11 @@ decompress_buf(BZ2Decompressor *d, Py_ssize_t max_length)
 
         d->bzs_avail_in_real += bzs->avail_in;
 
-        if (catch_bz2_error(bzret))
+        if (catch_bz2_error(bzret)) {
+            d->bzerror = bzret;
+            FT_ATOMIC_STORE_CHAR_RELAXED(d->needs_input, 0);
             goto error;
+        }
         if (bzret == BZ_STREAM_END) {
             FT_ATOMIC_STORE_CHAR_RELAXED(d->eof, 1);
             break;
@@ -607,10 +611,17 @@ _bz2_BZ2Decompressor_decompress_impl(BZ2Decompressor *self, Py_buffer *data,
     PyObject *result = NULL;
 
     PyMutex_Lock(&self->mutex);
-    if (self->eof)
+    if (self->eof) {
         PyErr_SetString(PyExc_EOFError, "End of stream already reached");
-    else
+    }
+    else if (self->bzerror) {
+        // Re-entering BZ2_bzDecompress() after an error can write out of bounds.
+        PyErr_SetString(PyExc_ValueError,
+                        "Decompressor is unusable after a previous error");
+    }
+    else {
         result = decompress(self, data->buf, data->len, max_length);
+    }
     PyMutex_Unlock(&self->mutex);
     return result;
 }
@@ -638,6 +649,7 @@ _bz2_BZ2Decompressor_impl(PyTypeObject *type)
     }
 
     self->mutex = (PyMutex){0};
+    self->bzerror = 0;
     self->needs_input = 1;
     self->bzs_avail_in_real = 0;
     self->input_buffer = NULL;
diff --git a/Modules/_sre/sre.c b/Modules/_sre/sre.c
@@ -42,6 +42,7 @@ static const char copyright[] =
 #include "pycore_critical_section.h" // Py_BEGIN_CRITICAL_SECTION
 #include "pycore_dict.h"             // _PyDict_Next()
 #include "pycore_long.h"             // _PyLong_GetZero()
+#include "pycore_list.h"             // _PyList_AppendTakeRef()
 #include "pycore_moduleobject.h"     // _PyModule_GetState()
 #include "pycore_tuple.h"            // _PyTuple_FromPairSteal
 #include "pycore_unicodeobject.h"    // _PyUnicode_Copy
@@ -986,8 +987,7 @@ _sre_SRE_Pattern_findall_impl(PatternObject *self, PyObject *string,
             break;
         }
 
-        status = PyList_Append(list, item);
-        Py_DECREF(item);
+        status = _PyList_AppendTakeRef((PyListObject *)list, item);
         if (status < 0)
             goto error;
 
@@ -1333,8 +1333,7 @@ pattern_subx(_sremodulestate* module_state,
                 string, i, b);
             if (!item)
                 goto error;
-            status = PyList_Append(list, item);
-            Py_DECREF(item);
+            status = _PyList_AppendTakeRef((PyListObject *)list, item);
             if (status < 0)
                 goto error;
 
@@ -1363,8 +1362,7 @@ pattern_subx(_sremodulestate* module_state,
 
         /* add to list */
         if (item != Py_None) {
-            status = PyList_Append(list, item);
-            Py_DECREF(item);
+            status = _PyList_AppendTakeRef((PyListObject *)list, item);
             if (status < 0)
                 goto error;
         }
@@ -1381,8 +1379,7 @@ pattern_subx(_sremodulestate* module_state,
                         string, i, state.endpos);
         if (!item)
             goto error;
-        status = PyList_Append(list, item);
-        Py_DECREF(item);
+        status = _PyList_AppendTakeRef((PyListObject *)list, item);
         if (status < 0)
             goto error;
     }
diff --git a/Modules/mmapmodule.c b/Modules/mmapmodule.c
@@ -620,8 +620,6 @@ mmap_gfind_lock_held(mmap_object *self, Py_buffer *view, PyObject *start_obj,
         start += self->size;
     if (start < 0)
         start = 0;
-    else if (start > self->size)
-        start = self->size;
 
     if (end < 0)
         end += self->size;
diff --git a/Objects/frameobject.c b/Objects/frameobject.c
@@ -9,6 +9,7 @@
 #include "pycore_function.h"      // _PyFunction_FromConstructor()
 #include "pycore_genobject.h"     // _PyGen_GetGeneratorFromFrame()
 #include "pycore_interpframe.h"   // _PyFrame_GetLocalsArray()
+#include "pycore_list.h"          // _PyList_AppendTakeRef()
 #include "pycore_modsupport.h"    // _PyArg_CheckPositional()
 #include "pycore_object.h"        // _PyObject_GC_UNTRACK()
 #include "pycore_opcode_metadata.h" // _PyOpcode_Caches
@@ -636,9 +637,7 @@ framelocalsproxy_items(PyObject *self, PyObject *Py_UNUSED(ignored))
                 goto error;
             }
 
-            int rc = PyList_Append(items, pair);
-            Py_DECREF(pair);
-            if (rc < 0) {
+            if (_PyList_AppendTakeRef((PyListObject *)items, pair) < 0) {
                 goto error;
             }
         }
@@ -655,9 +654,7 @@ framelocalsproxy_items(PyObject *self, PyObject *Py_UNUSED(ignored))
                 goto error;
             }
 
-            int rc = PyList_Append(items, pair);
-            Py_DECREF(pair);
-            if (rc < 0) {
+            if (_PyList_AppendTakeRef((PyListObject *)items, pair) < 0) {
                 goto error;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -1042,7 +1042,7 @@ first calculation. ::`
`1042`	`1042`	`>>> functools.reduce(operator.concat, [])`
`1043`	`1043`	`Traceback (most recent call last):`
`1044`	`1044`	`...`
`1045`		`- TypeError: reduce() of empty sequence with no initial value`
	`1045`	`+ TypeError: reduce() of empty iterable with no initial value`
`1046`	`1046`	`>>> functools.reduce(operator.mul, [1, 2, 3], 1)`
`1047`	`1047`	`6`
`1048`	`1048`	`>>> functools.reduce(operator.mul, [], 1)`
Original file line number	Diff line number	Diff line change
`@@ -965,7 +965,7 @@ def dumps(params, methodname=None, methodresponse=None, encoding=None,`
`965`	`965`	`data = (`
`966`	`966`	`xmlheader,`
`967`	`967`	`"<methodCall>\n"`
`968`		`- "<methodName>", methodname, "</methodName>\n",`
	`968`	`+ "<methodName>", escape(methodname), "</methodName>\n",`
`969`	`969`	`data,`
`970`	`970`	`"</methodCall>\n"`
`971`	`971`	`)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Speed up frame local variable item collection by appending result pairs to the`
	`2`	`+output list without an extra reference-count round-trip (using the internal`
	`3`	`+reference-stealing list append helper). Patch by Omkar Kabde.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fix XML injection vulnerability in :func:`xmlrpc.client.dumps` where the ``methodname`` was not being escaped before interpolation into the XML body.
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+Speed up :func:`re.findall`, :func:`re.sub` and :func:`re.subn` by appending
	`2`	`+result items to the output list without an extra reference-count round-trip`
	`3`	`+(using the internal reference-stealing list append helper).`