|
| 1 | +.. date: 2025-10-07-19-31-34 |
| 2 | +.. gh-issue: 139700 |
| 3 | +.. nonce: vNHU1O |
| 4 | +.. release date: 2025-10-09 |
| 5 | +.. section: Security |
| 6 | +
|
| 7 | +Check consistency of the zip64 end of central directory record. Support |
| 8 | +records with "zip64 extensible data" if there are no bytes prepended to the |
| 9 | +ZIP file. |
| 10 | + |
| 11 | +.. |
| 12 | +
|
| 13 | +.. date: 2025-09-29-00-01-28 |
| 14 | +.. gh-issue: 139400 |
| 15 | +.. nonce: X2T-jO |
| 16 | +.. section: Security |
| 17 | +
|
| 18 | +:mod:`xml.parsers.expat`: Make sure that parent Expat parsers are only |
| 19 | +garbage-collected once they are no longer referenced by subparsers created |
| 20 | +by:meth:`~xml.parsers.expat.xmlparser.ExternalEntityParserCreate`. Patch by |
| 21 | +Sebastian Pipping. |
| 22 | + |
| 23 | +.. |
| 24 | +
|
| 25 | +.. date: 2025-07-28-10-35-59 |
| 26 | +.. gh-issue: 121227 |
| 27 | +.. nonce: Orp1wf |
| 28 | +.. section: Security |
| 29 | +
|
| 30 | +Raise an:exc:`SSL.SSLError` if an empty *protocols* argument is passed to |
| 31 | +:meth:`ssl.SSLContext.set_npn_protocols` to fix ``CVE-2024-5642``. |
| 32 | + |
| 33 | +.. |
| 34 | +
|
| 35 | +.. date: 2025-06-25-14-13-39 |
| 36 | +.. gh-issue: 135661 |
| 37 | +.. nonce: idjQ0B |
| 38 | +.. section: Security |
| 39 | +
|
| 40 | +Fix parsing start and end tags in:class:`html.parser.HTMLParser` according |
| 41 | +to the HTML5 standard. |
| 42 | + |
| 43 | +* Whitespaces no longer accepted between ``</`` and the tag name. |
| 44 | + E.g. ``</ script>`` does not end the script section. |
| 45 | + |
| 46 | +* Vertical tabulation (``\v``) and non-ASCII whitespaces no longer recognized |
| 47 | + as whitespaces. The only whitespaces are ``\t\n\r\f`` and space. |
| 48 | + |
| 49 | +* Null character (U+0000) no longer ends the tag name. |
| 50 | + |
| 51 | +* Attributes and slashes after the tag name in end tags are now ignored, |
| 52 | + instead of terminating after the first ``>`` in quoted attribute value. |
| 53 | + E.g. ``</script/foo=">"/>``. |
| 54 | + |
| 55 | +* Multiple slashes and whitespaces between the last attribute and closing ``>`` |
| 56 | + are now ignored in both start and end tags. E.g. ``<a foo=bar/ //>``. |
| 57 | + |
| 58 | +* Multiple ``=`` between attribute name and value are no longer collapsed. |
| 59 | + E.g. ``<a foo==bar>`` produces attribute "foo" with value "=bar". |
| 60 | + |
| 61 | +.. |
| 62 | +
|
| 63 | +.. date: 2025-06-18-13-34-55 |
| 64 | +.. gh-issue: 135661 |
| 65 | +.. nonce: NZlpWf |
| 66 | +.. section: Security |
| 67 | +
|
| 68 | +Fix CDATA section parsing in:class:`html.parser.HTMLParser` according to |
| 69 | +the HTML5 standard: ``] ]>`` and ``]] >`` no longer end the CDATA section. |
| 70 | +Add private method ``_set_support_cdata()`` which can be used to specify how |
| 71 | +to parse ``<[CDATA[`` --- as a CDATA section in foreign content (SVG or |
| 72 | +MathML) or as a bogus comment in the HTML namespace. |
| 73 | + |
| 74 | +.. |
| 75 | +
|
| 76 | +.. date: 2025-06-18-13-28-08 |
| 77 | +.. gh-issue: 102555 |
| 78 | +.. nonce: nADrzJ |
| 79 | +.. section: Security |
| 80 | +
|
| 81 | +Fix comment parsing in:class:`html.parser.HTMLParser` according to the |
| 82 | +HTML5 standard. ``--!>`` now ends the comment. ``-- >`` no longer ends the |
| 83 | +comment. Support abnormally ended empty comments ``<-->`` and ``<--->``. |
| 84 | + |
| 85 | +.. |
| 86 | +
|
| 87 | +.. date: 2025-06-13-15-55-22 |
| 88 | +.. gh-issue: 135462 |
| 89 | +.. nonce: KBeJpc |
| 90 | +.. section: Security |
| 91 | +
|
| 92 | +Fix quadratic complexity in processing specially crafted input in |
| 93 | +:class:`html.parser.HTMLParser`. End-of-file errors are now handled |
| 94 | +according to the HTML5 specs -- comments and declarations are automatically |
| 95 | +closed, tags are ignored. |
| 96 | + |
| 97 | +.. |
| 98 | +
|
| 99 | +.. date: 2025-06-09-20-38-25 |
| 100 | +.. gh-issue: 118350 |
| 101 | +.. nonce: KgWCcP |
| 102 | +.. section: Security |
| 103 | +
|
| 104 | +Fix support of escapable raw text mode (elements "textarea" and "title") in |
| 105 | +:class:`html.parser.HTMLParser`. |
| 106 | + |
| 107 | +.. |
| 108 | +
|
| 109 | +.. date: 2023-02-13-21-41-34 |
| 110 | +.. gh-issue: 86155 |
| 111 | +.. nonce: ppIGSC |
| 112 | +.. section: Security |
| 113 | +
|
| 114 | +:meth:`html.parser.HTMLParser.close` no longer loses data when the |
| 115 | +``<script>`` tag is not closed. Patch by Waylan Limberg. |
| 116 | + |
| 117 | +.. |
| 118 | +
|
| 119 | +.. date: 2025-09-25-07-33-43 |
| 120 | +.. gh-issue: 139312 |
| 121 | +.. nonce: ygE8AC |
| 122 | +.. section: Library |
| 123 | +
|
| 124 | +Upgrade bundled libexpat to 2.7.3 |
| 125 | + |
| 126 | +.. |
| 127 | +
|
| 128 | +.. date: 2025-09-16-19-05-29 |
| 129 | +.. gh-issue: 138998 |
| 130 | +.. nonce: URl0Y_ |
| 131 | +.. section: Library |
| 132 | +
|
| 133 | +Update bundled libexpat to 2.7.2 |
| 134 | + |
| 135 | +.. |
| 136 | +
|
| 137 | +.. date: 2025-07-23-00-35-29 |
| 138 | +.. gh-issue: 130577 |
| 139 | +.. nonce: c7EITy |
| 140 | +.. section: Library |
| 141 | +
|
| 142 | +:mod:`tarfile` now validates archives to ensure member offsets are |
| 143 | +non-negative. (Contributed by Alexander Enrique Urieles Nieto in |
| 144 | +:gh:`130577`.) |
| 145 | + |
| 146 | +.. |
| 147 | +
|
| 148 | +.. date: 2025-06-11-17-47-19 |
| 149 | +.. gh-issue: 135374 |
| 150 | +.. nonce: eqRcTc |
| 151 | +.. section: Library |
| 152 | +
|
| 153 | +Update the bundled copy of setuptools to 79.0.1. |