md5 is not an approved algorithm in FIPS mode, and trying to instantiate
a hashlib.md5() will fail when the system is running in FIPS mode.
md5 is allowed when in a non-security context. There is a plan to add a
keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether
or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() has been added.
This encapsulation will pass through the usedforsecurity parameter in
the case where the parameter is supported, and strip it if it is not.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Thanks Carlton Gibson, Chris Jerdonek, David Smith, Keryn Knight,
Mariusz Felisiak, and Nick Pope for reviews and mentoring this
Google Summer of Code 2021 project.
The validate_key() function should be called after make_key() to ensure
that the validation is performed on the key that will actually be
stored in the cache.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
By using a asgiref's ThreadSensitiveContext context manager, requests
will be able to execute independently of other requests when sync work
is involved.
Prior to this commit, a single global thread was used to execute any
sync work independent of the request from which that work was scheduled.
This could result in contention for the global sync thread in the case
of a slow sync function.
Requests are now isolated to their own sync thread.
By default, this means that readline is properly registered, so that
.python_history is used.
sys.__interactivehook__ may be set by a $PYTHONSTARTUP file.
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.
[1] https://bugs.python.org/issue36384
Moved deeply nested blocks out of inner loops to improve readability
and maintainability.
Thanks to Mariusz Felisiak, Shreyas Ravi, and Paolo Melchiorre for
feedback.
This always replaces 'fixture_name' with its base name, which preserves
the previous behavior, because os.path.basename() was not called only on
relative paths without os.path.sep i.e. when base name was equal to the
file name.
This also changes os.path.dirname() and os.path.basename() calls to the
equivalent os.path.split() call.
This moves code unable to trigger relevant exceptions outside of
try/except blocks, and changes 'objects' to 'objects_in_fixture'
which is equal to the length of 'objects'.
- Validate filename returned by FileField.upload_to() not a filename
passed to the FileField.generate_filename() (upload_to() may
completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.
Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.
Regression in 0b79eb3691.
- Replaced datetime.utcnow() with datetime.now().
- Replaced datetime.utcfromtimestamp() with datetime.fromtimestamp().
- Replaced datetime.utctimetuple() with datetime.timetuple().
- Replaced calendar.timegm() and datetime.utctimetuple() with datetime.timestamp().
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.
[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603
This check dates back to Python <2.5, before Python introduced
BaseException to prevent exactly unwarranted catching of SystemExit
(and others).
response_for_exception() is only called under `except Exception` or
`except Http404` so it's now impossible for a SystemExit instance to
reach the branch.
ConnectionAbortedError, BrokenPipeError, ConnectionResetError raised
from SocketServer.BaseServer.finish_request() are already suppressed
by wsgiref.handlers.BaseHandler.run() in Python 3.7+, see
47ffc1a9f6
Many of the cache operations make use of the default argument to the
.get() operation to determine whether the key was found in the cache.
The default value of the default argument is None, so this results in
these operations assuming that None is not stored in the cache when it
actually is. Adding a sentinel object solves this issue.
Unfortunately the unmaintained python-memcached library does not support
a default argument to .get(), so the previous behavior is preserved for
the deprecated MemcachedCache backend.
This removes unused (since d038c547b5)
workaround to load a cache backend with its dotted import path and
moves remaining logic to the CacheHandler.
Thanks Tim Graham for the review.
Adam Johnson
Jacob Walls
Mariusz Felisiak
Ad Timmering
Florian Apolloner
mendespedro
Jeremy Lainé
Arsa
jordan.bae
andrewdotn
Hasan Ramezani
Shreya Bamne
David Smith
Ade Lee
Daniyal
Andrew-Chen-Wang
Nick Pope
Peter Inglesby
Stefanos I. Tsaklidis
sage
Jan Szoja
Sondre Lillebø Gundersen
qimingmafan
Wu Haotian
Wilhelm Klopp
Allan Feldman
Carlton Gibson
Chris Jerdonek
Michael Lissner
William Schwartz
Rohith PR
ecogels
Tim Graham
bankc
Josh Santos
Mikolaj Rybinski
Daniel Ebrahimian
Simon Charette
Timothy McCurrach
Paolo Melchiorre
Akshat1Nar
Nick Pope
Abhishek Ghaskata
Petter Strandmark
manav014
MinchinWeb