Python3.5.5

+++++++++++ Python News +++++++++++ What's New in Python 3.5.4 release candidate 1? =============================================== *Release date: 2017-07-23* Security -------- - bpo-30730: Prevent environment variables injection in subprocess on Windows. Prevent passing other environment variables and command arguments. - bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including: CVE-2017-9233 (External entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix regression bugs from 2.2.0's fix to CVE-2016-0718) and CVE-2012-0876 (Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- specific entropy sources like getrandom) doesn't impact Python, since Python already gets entropy from the OS to set the expat secret using ``XML_SetHashSalt()``. - bpo-30500: Fix urllib.parse.splithost() to correctly parse fragments. For example, ``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the ``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an authentification (``login@host``). - bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more information. Core and Builtins ----------------- - bpo-30876: Relative import from unloaded package now reimports the package instead of failing with SystemError. Relative import from non-package now fails with ImportError rather than SystemError. - bpo-30765: Avoid blocking in pthread_mutex_lock() when PyThread_acquire_lock() is asked not to block. - bpo-27945: Fixed various segfaults with dict when input collections are mutated during searching, inserting or comparing. Based on patches by Duane Griffin and Tim Mitchell. - bpo-25794: Fixed type.__setattr__() and type.__delattr__() for non- interned attribute names. Based on patch by Eryk Sun. - bpo-29935: Fixed error messages in the index() method of tuple, list and deque when pass indices of wrong type. - bpo-28876: ``bool(range)`` works even if ``len(range)`` raises :exc:`OverflowError`. - bpo-29600: Fix wrapping coroutine return values in StopIteration. - bpo-29537: Restore runtime compatibility with bytecode files generated by CPython 3.5.0 to 3.5.2, and adjust the eval loop to avoid the problems that could be caused by the malformed variant of the BUILD_MAP_UNPACK_WITH_CALL opcode that they may contain. Patch by Petr Viktorin, Serhiy Storchaka, and Nick Coghlan. - bpo-28598: Support __rmod__ for subclasses of str being called before str.__mod__. Patch by Martijn Pieters. - bpo-29602: Fix incorrect handling of signed zeros in complex constructor for complex subclasses and for inputs having a __complex__ method. Patch by Serhiy Storchaka. - bpo-29347: Fixed possibly dereferencing undefined pointers when creating weakref objects. - bpo-29438: Fixed use-after-free problem in key sharing dict. - bpo-29319: Prevent RunMainFromImporter overwriting sys.path[0]. - bpo-29337: Fixed possible BytesWarning when compare the code objects. Warnings could be emitted at compile time. - bpo-29478: If max_line_length=None is specified while using the Compat32 policy, it is no longer ignored. Patch by Mircea Cosbuc. Library ------- - bpo-29403: Fix ``unittest.mock``'s autospec to not fail on method-bound builtin functions. Patch by Aaron Gallagher. - bpo-30961: Fix decrementing a borrowed reference in tracemalloc. - bpo-30886: Fix multiprocessing.Queue.join_thread(): it now waits until the thread completes, even if the thread was started by the same process which created the queue. - bpo-29854: Fix segfault in readline when using readline's history-size option. Patch by Nir Soffer. - bpo-30807: signal.setitimer() may disable the timer when passed a tiny value. Tiny values (such as 1e-6) are valid non-zero values for setitimer(), which is specified as taking microsecond-resolution intervals. However, on some platform, our conversion routine could convert 1e-6 into a zero interval, therefore disabling the timer instead of (re-)scheduling it. - bpo-30441: Fix bug when modifying os.environ while iterating over it - bpo-30532: Fix email header value parser dropping folding white space in certain cases. - bpo-29169: Update zlib to 1.2.11. - bpo-30879: os.listdir() and os.scandir() now emit bytes names when called with bytes- like argument. - bpo-30746: Prohibited the '=' character in environment variable names in ``os.putenv()`` and ``os.spawn*()``. - bpo-29755: Fixed the lgettext() family of functions in the gettext module. They now always return bytes. - bpo-30645: Fix path calculation in imp.load_package(), fixing it for cases when a package is only shipped with bytecodes. Patch by Alexandru Ardelean. - bpo-23890: unittest.TestCase.assertRaises() now manually breaks a reference cycle to not keep objects alive longer than expected. - bpo-30149: inspect.signature() now supports callables with variable- argument parameters wrapped with partialmethod. Patch by Dong-hee Na. - bpo-29931: Fixed comparison check for ipaddress.ip_interface objects. Patch by Sanjay Sundaresan. - bpo-24484: Avoid race condition in multiprocessing cleanup. - bpo-28994: The traceback no longer displayed for SystemExit raised in a callback registered by atexit. - bpo-30508: Don't log exceptions if Task/Future "cancel()" method was called. - bpo-28556: Updates to typing module: Add generic AsyncContextManager, add support for ContextManager on all versions. Original PRs by Jelle Zijlstra and Ivan Levkivskyi - bpo-29870: Fix ssl sockets leaks when connection is aborted in asyncio/ssl implementation. Patch by Michaël Sghaïer. - bpo-29743: Closing transport during handshake process leaks open socket. Patch by Nikolay Kim - bpo-27585: Fix waiter cancellation in asyncio.Lock. Patch by Mathieu Sornay. - bpo-30418: On Windows, subprocess.Popen.communicate() now also ignore EINVAL on stdin.write() if the child process is still running but closed the pipe. - bpo-30378: Fix the problem that logging.handlers.SysLogHandler cannot handle IPv6 addresses. - bpo-29960: Preserve generator state when _random.Random.setstate() raises an exception. Patch by Bryan Olson. - bpo-30414: multiprocessing.Queue._feed background running thread do not break from main loop on exception. - bpo-30003: Fix handling escape characters in HZ codec. Based on patch by Ma Lin. - bpo-30301: Fix AttributeError when using SimpleQueue.empty() under *spawn* and *forkserver* start methods. - bpo-30329: imaplib and poplib now catch the Windows socket WSAEINVAL error (code 10022) on shutdown(SHUT_RDWR): An invalid operation was attempted. This error occurs sometimes on SSL connections. - bpo-30375: Warnings emitted when compile a regular expression now always point to the line in the user code. Previously they could point into inners of the re module if emitted from inside of groups or conditionals. - bpo-30048: Fixed ``Task.cancel()`` can be ignored when the task is running coroutine and the coroutine returned without any more ``await``. - bpo-29990: Fix range checking in GB18030 decoder. Original patch by Ma Lin. - bpo-26293: Change resulted because of zipfile breakage. (See also: bpo-29094) - bpo-30243: Removed the __init__ methods of _json's scanner and encoder. Misusing them could cause memory leaks or crashes. Now scanner and encoder objects are completely initialized in the __new__ methods. - bpo-30185: Avoid KeyboardInterrupt tracebacks in forkserver helper process when Ctrl-C is received. - bpo-28556: Various updates to typing modu