| .. bpo: 30730 |
| .. date: 9992 |
| .. nonce: rJsyTH |
| .. original section: Library |
| .. release date: 2017-07-07 |
| .. section: Security |
| |
| Prevent environment variables injection in subprocess on Windows. Prevent |
| passing other environment variables and command arguments. |
| |
| .. |
| |
| .. bpo: 30694 |
| .. date: 9991 |
| .. nonce: WkMWM_ |
| .. original section: Library |
| .. section: Security |
| |
| Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security |
| vulnerabilities including: :cve:`2017-9233` (External entity infinite loop |
| DoS), :cve:`2016-9063` (Integer overflow, re-fix), :cve:`2016-0718` (Fix |
| regression bugs from 2.2.0's fix to :cve:`2016-0718`) and :cve:`2012-0876` |
| (Counter hash flooding with SipHash). Note: the :cve:`2016-5300` (Use |
| os-specific entropy sources like getrandom) doesn't impact Python, since |
| Python already gets entropy from the OS to set the expat secret using |
| ``XML_SetHashSalt()``. |
| |
| .. |
| |
| .. bpo: 30500 |
| .. date: 9990 |
| .. nonce: 1VG7R- |
| .. original section: Library |
| .. section: Security |
| |
| Fix urllib.parse.splithost() to correctly parse fragments. For example, |
| ``splithost('//127.0.0.1#@evil.com/')`` now correctly returns the |
| ``127.0.0.1`` host, instead of treating ``@evil.com`` as the host in an |
| authentication (``login@host``). |
