Skip to content

Commit

Permalink
Upgrade to 3.8.17 (#26)
Browse files Browse the repository at this point in the history
* Post 3.8.16

* [3.8] Update copyright years to 2023. (pythongh-100852)

* [3.8] Update copyright years to 2023. (pythongh-100848).
(cherry picked from commit 11f9932)

Co-authored-by: Benjamin Peterson <benjamin@python.org>

* Update additional copyright years to 2023.

Co-authored-by: Ned Deily <nad@python.org>

* [3.8] Update copyright year in README (pythonGH-100863) (pythonGH-100867)

(cherry picked from commit 30a6cc4)

Co-authored-by: Ned Deily <nad@python.org>
Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com>

* [3.8] Correct CVE-2020-10735 documentation (pythonGH-100306) (python#100698)

(cherry picked from commit 1cf3d78)
(cherry picked from commit 88fe8d7)

Co-authored-by: Jeremy Paige <ucodery@gmail.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>

* [3.8] Bump Azure Pipelines to ubuntu-22.04 (pythonGH-101089) (python#101215)

(cherry picked from commit c22a55c)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>

* [3.8] pythongh-100180: Update Windows installer to OpenSSL 1.1.1s (pythonGH-100903) (python#101258)

* pythongh-101422: (docs) TarFile default errorlevel argument is 1, not 0 (pythonGH-101424)

(cherry picked from commit ea23271)

Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>

* [3.8] pythongh-95778: add doc missing in some places (pythonGH-100627) (python#101630)

(cherry picked from commit 4652182)

* [3.8] pythongh-101283: Improved fallback logic for subprocess with shell=True on Windows (pythonGH-101286) (python#101710)

Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>

* [3.8] pythongh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI i… (python#102095)

[3.8] pythongh-101981: Fix Ubuntu SSL tests with OpenSSL (3.1.0-beta1) CI issue (pythongh-102079)

* [3.8] pythonGH-102306 Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK (pythonGH-102307)

[3.8] Avoid GHA CI macOS test_posix failure by using the appropriate macOS SDK.

* [3.8] pythongh-101726: Update the OpenSSL version to 1.1.1t (pythonGH-101727) (pythonGH-101752)

Fixes CVE-2023-0286 (High) and a couple of Medium security issues.
https://www.openssl.org/news/secadv/20230207.txt

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>

* [3.8] pythongh-102627: Replace address pointing toward malicious web page (pythonGH-102630) (pythonGH-102667)

(cherry picked from commit 61479d4)

Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>

* [3.8] pythongh-101997: Update bundled pip version to 23.0.1 (pythonGH-101998). (python#102244)

(cherry picked from commit 89d9ff0)

* [3.8] pythongh-102950: Implement PEP 706 – Filter for tarfile.extractall (pythonGH-102953) (python#104548)

Backport of c8c3956

* [3.8] pythongh-99889: Fix directory traversal security flaw in uu.decode() (pythonGH-104096) (python#104332)

(cherry picked from commit 0aeda29)

Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>

* [3.8] pythongh-104049: do not expose on-disk location from SimpleHTTPRequestHandler (pythonGH-104067) (python#104121)

Do not expose the local server's on-disk location from `SimpleHTTPRequestHandler` when generating a directory index. (unnecessary information disclosure)

(cherry picked from commit c7c3a60)

Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>

* [3.8] pythongh-103935: Use `io.open_code()` when executing code in trace and profile modules (pythonGH-103947) (python#103954)

Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com>

* [3.8] pythongh-68966: fix versionchanged in docs (pythonGH-105299)

* [3.8] Update GitHub CI workflow for macOS. (pythonGH-105302)

* [3.8] pythongh-105184: document that marshal functions can fail and need to be checked with PyErr_Occurred (pythonGH-105185) (python#105222)

(cherry picked from commit ee26ca1)

Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>

* [3.8] pythongh-102153: Start stripping C0 control and space chars in `urlsplit` (pythonGH-102508) (pythonGH-104575) (pythonGH-104592) (python#104593) (python#104895)

`urllib.parse.urlsplit` has already been respecting the WHATWG spec a bit pythonGH-25595.

This adds more sanitizing to respect the "Remove any leading C0 control or space from input" [rule](https://url.spec.whatwg.org/GH-url-parsing:~:text=Remove%20any%20leading%20and%20trailing%20C0%20control%20or%20space%20from%20input.) in response to [CVE-2023-24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329).

I simplified the docs by eliding the state of the world explanatory
paragraph in this security release only backport.  (people will see
that in the mainline /3/ docs)

(cherry picked from commit d7f8a5f)
(cherry picked from commit 2f630e1)
(cherry picked from commit 610cc0a)
(cherry picked from commit f48a96a)

Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
Co-authored-by: Gregory P. Smith [Google] <greg@krypto.org>

* [3.8] pythongh-103142: Upgrade binary builds and CI to OpenSSL 1.1.1u (pythonGH-105174) (pythonGH-105200) (pythonGH-105205) (python#105370)

Upgrade builds to OpenSSL 1.1.1u.

Also updates _ssl_data_111.h from OpenSSL 1.1.1u, _ssl_data_300.h from 3.0.9.

Manual edits to the _ssl_data_300.h file prevent it from removing any
existing definitions in case those exist in some peoples builds and were
important (avoiding regressions during backporting).

(cherry picked from commit ede89af)
(cherry picked from commit e15de14)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Ned Deily <nad@python.org>

* Python 3.8.17

* Post 3.8.17

* Updated CI to build 3.8.17

---------

Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Co-authored-by: Benjamin Peterson <benjamin@python.org>
Co-authored-by: Ned Deily <nad@python.org>
Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Co-authored-by: HARSHA VARDHAN <75431678+Thunder-007@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Co-authored-by: Jeremy Paige <ucodery@gmail.com>
Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
Co-authored-by: Steve Dower <steve.dower@python.org>
Co-authored-by: Owain Davies <116417456+OTheDev@users.noreply.github.com>
Co-authored-by: Éric <earaujo@caravan.coop>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Steve Dower <steve.dower@microsoft.com>
Co-authored-by: Dong-hee Na <donghee.na@python.org>
Co-authored-by: Blind4Basics <32236948+Blind4Basics@users.noreply.github.com>
Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Pradyun Gedam <pradyunsg@gmail.com>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Sam Carroll <70000253+samcarroll42@users.noreply.github.com>
Co-authored-by: Ethan Furman <ethan@stoneleaf.us>
Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
Co-authored-by: Tian Gao <gaogaotiantian@hotmail.com>
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
Co-authored-by: stratakis <cstratak@redhat.com>
Co-authored-by: Illia Volochii <illia.volochii@gmail.com>
  • Loading branch information
1 parent dc2e87f commit e0a363f
Show file tree
Hide file tree
Showing 52 changed files with 2,377 additions and 150 deletions.
12 changes: 6 additions & 6 deletions .azure-pipelines/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
displayName: Pre-build checks

pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

steps:
- template: ./prebuild-checks.yml
Expand All @@ -20,7 +20,7 @@ jobs:
condition: and(succeeded(), eq(dependencies.Prebuild.outputs['docs.run'], 'true'))

pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

steps:
- template: ./docs-steps.yml
Expand Down Expand Up @@ -52,12 +52,12 @@ jobs:
condition: and(succeeded(), eq(dependencies.Prebuild.outputs['tests.run'], 'true'))

pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

variables:
testRunTitle: '$(build.sourceBranchName)-linux'
testRunPlatform: linux
openssl_version: 1.1.1n
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand All @@ -78,12 +78,12 @@ jobs:
)
pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

variables:
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
testRunPlatform: linux-coverage
openssl_version: 1.1.1n
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand Down
12 changes: 6 additions & 6 deletions .azure-pipelines/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
displayName: Pre-build checks

pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

steps:
- template: ./prebuild-checks.yml
Expand All @@ -20,7 +20,7 @@ jobs:
condition: and(succeeded(), eq(dependencies.Prebuild.outputs['docs.run'], 'true'))

pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

steps:
- template: ./docs-steps.yml
Expand Down Expand Up @@ -52,12 +52,12 @@ jobs:
condition: and(succeeded(), eq(dependencies.Prebuild.outputs['tests.run'], 'true'))

pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

variables:
testRunTitle: '$(system.pullRequest.TargetBranch)-linux'
testRunPlatform: linux
openssl_version: 1.1.1n
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand All @@ -78,12 +78,12 @@ jobs:
)
pool:
vmImage: ubuntu-20.04
vmImage: ubuntu-22.04

variables:
testRunTitle: '$(Build.SourceBranchName)-linux-coverage'
testRunPlatform: linux-coverage
openssl_version: 1.1.1n
openssl_version: 1.1.1u

steps:
- template: ./posix-steps.yml
Expand Down
24 changes: 19 additions & 5 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -126,10 +126,24 @@ jobs:
runs-on: macos-latest
needs: check_source
if: needs.check_source.outputs.run_tests == 'true'
env:
HOMEBREW_NO_ANALYTICS: 1
HOMEBREW_NO_AUTO_UPDATE: 1
HOMEBREW_NO_INSTALL_CLEANUP: 1
steps:
- uses: actions/checkout@v2
- name: Configure CPython
run: ./configure --with-pydebug --with-openssl=/usr/local/opt/openssl --prefix=/opt/python-dev
run: |
brew install pkg-config openssl@1.1 xz gdbm tcl-tk
SDKROOT=/Library/Developer/CommandLineTools/SDKs/MacOSX12.sdk \
CC=clang \
CPPFLAGS="-I$(brew --prefix gdbm)/include -I$(brew --prefix xz)/include" \
LDFLAGS="-L$(brew --prefix gdbm)/lib -L$(brew --prefix xz)/lib" \
./configure --prefix=/opt/python-dev \
--with-pydebug \
--with-openssl="$(brew --prefix openssl@1.1)" \
--with-tcltk-libs="$(pkg-config --libs tk)" \
--with-tcltk-includes="$(pkg-config --cflags tk)"
- name: Build CPython
run: make -j4
- name: Display build info
Expand All @@ -143,7 +157,7 @@ jobs:
needs: check_source
if: needs.check_source.outputs.run_tests == 'true'
env:
OPENSSL_VER: 1.1.1n
OPENSSL_VER: 1.1.1u
steps:
- uses: actions/checkout@v2
- name: Install Dependencies
Expand Down Expand Up @@ -184,7 +198,7 @@ jobs:
strategy:
fail-fast: false
matrix:
openssl_ver: [1.0.2u, 1.1.0l, 1.1.1l]
openssl_ver: [1.0.2u, 1.1.1u, 3.0.9, 3.1.1]
env:
OPENSSL_VER: ${{ matrix.openssl_ver }}
MULTISSL_DIR: ${{ github.workspace }}/multissl
Expand All @@ -201,7 +215,7 @@ jobs:
echo "LD_LIBRARY_PATH=${GITHUB_WORKSPACE}/multissl/openssl/${OPENSSL_VER}/lib" >> $GITHUB_ENV
- name: 'Restore OpenSSL build'
id: cache-openssl
uses: actions/cache@v2.1.4
uses: actions/cache@v3
with:
path: ./multissl/openssl/${{ env.OPENSSL_VER }}
key: ${{ runner.os }}-multissl-openssl-${{ env.OPENSSL_VER }}
Expand All @@ -212,7 +226,7 @@ jobs:
run: |
echo "PATH=/usr/lib/ccache:$PATH" >> $GITHUB_ENV
- name: Configure ccache action
uses: hendrikmuhs/ccache-action@v1
uses: hendrikmuhs/ccache-action@v1.2
- name: Configure CPython
run: ./configure --with-pydebug --with-openssl=$OPENSSL_DIR
- name: Build CPython
Expand Down
12 changes: 6 additions & 6 deletions .gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@ stages:
- if (Test-Path build-out) { remove-item -recurse -force build-out }
- docker run --rm -v "$(Get-Location):c:\mnt" -e CI_JOB_ID=${CI_JOB_ID} -e WINDOWS_BUILDER=true -e AWS_NETWORKING=true -e TARGET_ARCH="$ARCH" datadog/agent-buildimages-windows_x64:1809 C:\mnt\build.bat
- get-childitem build-out
- Get-FileHash -Algorithm SHA256 build-out/python-windows-3.8.16-${ARCH}.zip
- Get-FileHash -Algorithm SHA256 build-out/python-windows-3.8.17-${ARCH}.zip
artifacts:
expire_in: 2 weeks
paths:
- build-out/python-windows-3.8.16-${ARCH}.zip
- build-out/python-windows-3.8.17-${ARCH}.zip

build_binaries_x64:
extends: .build_common
Expand All @@ -42,8 +42,8 @@ deploy_x64:
!reference [.manual]
script:
- $hash = (git rev-parse --short HEAD 2> $null)
- Write-Host "Uploading zip python-windows-3.8.16-${hash}-x64.zip"
- Invoke-Expression "aws s3 cp --only-show-errors --region us-east-1 --sse AES256 --acl public-read build-out/python-windows-3.8.16-x64.zip s3://dd-agent-omnibus/python-windows-3.8.16-${hash}-x64.zip"
- Write-Host "Uploading zip python-windows-3.8.17-${hash}-x64.zip"
- Invoke-Expression "aws s3 cp --only-show-errors --region us-east-1 --sse AES256 --acl public-read build-out/python-windows-3.8.17-x64.zip s3://dd-agent-omnibus/python-windows-3.8.17-${hash}-x64.zip"

deploy_x86:
stage: deploy
Expand All @@ -53,5 +53,5 @@ deploy_x86:
!reference [.manual]
script:
- $hash = (git rev-parse --short HEAD 2> $null)
- Write-Host "Uploading zip python-windows-3.8.16-${hash}-x86.zip"
- Invoke-Expression "aws s3 cp --only-show-errors --region us-east-1 --sse AES256 --acl public-read build-out/python-windows-3.8.16-x86.zip s3://dd-agent-omnibus/python-windows-3.8.16-${hash}-x86.zip"
- Write-Host "Uploading zip python-windows-3.8.17-${hash}-x86.zip"
- Invoke-Expression "aws s3 cp --only-show-errors --region us-east-1 --sse AES256 --acl public-read build-out/python-windows-3.8.17-x86.zip s3://dd-agent-omnibus/python-windows-3.8.17-${hash}-x86.zip"
4 changes: 4 additions & 0 deletions Doc/c-api/marshal.rst
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,16 @@ unmarshalling. Version 2 uses a binary format for floating point numbers.
the least-significant 32 bits of *value*; regardless of the size of the
native :c:type:`long` type. *version* indicates the file format.
This function can fail, in which case it sets the error indicator.
Use :c:func:`PyErr_Occurred` to check for that.
.. c:function:: void PyMarshal_WriteObjectToFile(PyObject *value, FILE *file, int version)
Marshal a Python object, *value*, to *file*.
*version* indicates the file format.
This function can fail, in which case it sets the error indicator.
Use :c:func:`PyErr_Occurred` to check for that.
.. c:function:: PyObject* PyMarshal_WriteObjectToString(PyObject *value, int version)
Expand Down
2 changes: 1 addition & 1 deletion Doc/copyright.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Copyright

Python and this documentation is:

Copyright © 2001-2022 Python Software Foundation. All rights reserved.
Copyright © 2001-2023 Python Software Foundation. All rights reserved.

Copyright © 2000 BeOpen.com. All rights reserved.

Expand Down
2 changes: 1 addition & 1 deletion Doc/library/concurrent.futures.rst
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ ThreadPoolExecutor Example
'http://www.cnn.com/',
'http://europe.wsj.com/',
'http://www.bbc.co.uk/',
'http://some-made-up-domain.com/']
'http://nonexistant-subdomain.python.org/']

# Retrieve a single page and report the URL and contents
def load_url(url, timeout):
Expand Down
2 changes: 1 addition & 1 deletion Doc/library/mailcap.rst
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ standard. However, mailcap files are supported on most Unix systems.
use) to determine whether or not the mailcap line applies. :func:`findmatch`
will automatically check such conditions and skip the entry if the check fails.

.. versionchanged:: 3.11
.. versionchanged:: 3.8.16

To prevent security issues with shell metacharacters (symbols that have
special effects in a shell command line), ``findmatch`` will refuse
Expand Down
33 changes: 27 additions & 6 deletions Doc/library/shutil.rst
Original file line number Diff line number Diff line change
Expand Up @@ -640,7 +640,7 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
Remove the archive format *name* from the list of supported formats.


.. function:: unpack_archive(filename[, extract_dir[, format]])
.. function:: unpack_archive(filename[, extract_dir[, format[, filter]]])

Unpack an archive. *filename* is the full path of the archive.

Expand All @@ -654,11 +654,29 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
registered for that extension. In case none is found,
a :exc:`ValueError` is raised.

The keyword-only *filter* argument, which was added in Python 3.8.17,
is passed to the underlying unpacking function.
For zip files, *filter* is not accepted.
For tar files, it is recommended to set it to ``'data'``,
unless using features specific to tar and UNIX-like filesystems.
(See :ref:`tarfile-extraction-filter` for details.)
The ``'data'`` filter will become the default for tar files
in Python 3.14.

.. audit-event:: shutil.unpack_archive filename,extract_dir,format shutil.unpack_archive

.. warning::

Never extract archives from untrusted sources without prior inspection.
It is possible that files are created outside of the path specified in
the *extract_dir* argument, e.g. members that have absolute filenames
starting with "/" or filenames with two dots "..".

.. versionchanged:: 3.7
Accepts a :term:`path-like object` for *filename* and *extract_dir*.

.. versionchanged:: 3.8.17
Added the *filter* argument.

.. function:: register_unpack_format(name, extensions, function[, extra_args[, description]])

Expand All @@ -667,11 +685,14 @@ provided. They rely on the :mod:`zipfile` and :mod:`tarfile` modules.
``.zip`` for Zip files.

*function* is the callable that will be used to unpack archives. The
callable will receive the path of the archive, followed by the directory
the archive must be extracted to.

When provided, *extra_args* is a sequence of ``(name, value)`` tuples that
will be passed as keywords arguments to the callable.
callable will receive:

- the path of the archive, as a positional argument;
- the directory the archive must be extracted to, as a positional argument;
- possibly a *filter* keyword argument, if it was given to
:func:`unpack_archive`;
- additional keyword arguments, specified by *extra_args* as a sequence
of ``(name, value)`` tuples.

*description* can be provided to describe the format, and will be returned
by the :func:`get_unpack_formats` function.
Expand Down
6 changes: 3 additions & 3 deletions Doc/library/stdtypes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -4880,7 +4880,7 @@ to mitigate denial of service attacks. This limit *only* applies to decimal or
other non-power-of-two number bases. Hexadecimal, octal, and binary conversions
are unlimited. The limit can be configured.

The :class:`int` type in CPython is an abitrary length number stored in binary
The :class:`int` type in CPython is an arbitrary length number stored in binary
form (commonly known as a "bignum"). There exists no algorithm that can convert
a string to a binary integer or a binary integer to a string in linear time,
*unless* the base is a power of 2. Even the best known algorithms for base 10
Expand Down Expand Up @@ -4944,7 +4944,7 @@ and :class:`str` or :class:`bytes`:
* ``int(string)`` with default base 10.
* ``int(string, base)`` for all bases that are not a power of 2.
* ``str(integer)``.
* ``repr(integer)``
* ``repr(integer)``.
* any other string conversion to base 10, for example ``f"{integer}"``,
``"{}".format(integer)``, or ``b"%d" % integer``.

Expand Down Expand Up @@ -4972,7 +4972,7 @@ command line flag to configure the limit:
:envvar:`PYTHONINTMAXSTRDIGITS` or :option:`-X int_max_str_digits <-X>`.
If both the env var and the ``-X`` option are set, the ``-X`` option takes
precedence. A value of *-1* indicates that both were unset, thus a value of
:data:`sys.int_info.default_max_str_digits` was used during initilization.
:data:`sys.int_info.default_max_str_digits` was used during initialization.

From code, you can inspect the current limit and set a new one using these
:mod:`sys` APIs:
Expand Down
40 changes: 40 additions & 0 deletions Doc/library/subprocess.rst
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,14 @@ compatibility with older versions, see the :ref:`call-function-trio` section.
Added the *text* parameter, as a more understandable alias of *universal_newlines*.
Added the *capture_output* parameter.

.. versionchanged:: 3.8.17

Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.

.. class:: CompletedProcess

The return value from :func:`run`, representing a process that has finished.
Expand Down Expand Up @@ -459,6 +467,14 @@ functions.
*executable* parameter accepts a bytes and :term:`path-like object`
on Windows.

.. versionchanged:: 3.8.17

Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.

*stdin*, *stdout* and *stderr* specify the executed program's standard input,
standard output and standard error file handles, respectively. Valid values
are :data:`PIPE`, :data:`DEVNULL`, an existing file descriptor (a positive
Expand Down Expand Up @@ -1077,6 +1093,14 @@ calls these functions.
.. versionchanged:: 3.3
*timeout* was added.

.. versionchanged:: 3.8.17

Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.

.. function:: check_call(args, *, stdin=None, stdout=None, stderr=None, \
shell=False, cwd=None, timeout=None, \
**other_popen_kwargs)
Expand Down Expand Up @@ -1107,6 +1131,14 @@ calls these functions.
.. versionchanged:: 3.3
*timeout* was added.

.. versionchanged:: 3.8.17

Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.


.. function:: check_output(args, *, stdin=None, stderr=None, shell=False, \
cwd=None, encoding=None, errors=None, \
Expand Down Expand Up @@ -1162,6 +1194,14 @@ calls these functions.
.. versionadded:: 3.7
*text* was added as a more readable alias for *universal_newlines*.

.. versionchanged:: 3.8.17

Changed Windows shell search order for ``shell=True``. The current
directory and ``%PATH%`` are replaced with ``%COMSPEC%`` and
``%SystemRoot%\System32\cmd.exe``. As a result, dropping a
malicious program named ``cmd.exe`` into a current directory no
longer works.


.. _subprocess-replacements:

Expand Down
Loading

0 comments on commit e0a363f

Please sign in to comment.