From 29fe5f91d7143cfe949cec45c1653bc6dbcf6ea7 Mon Sep 17 00:00:00 2001
From: Josef Schlehofer <pepe.schlehofer@gmail.com>
Date: Sat, 21 Dec 2019 13:50:01 +0100
Subject: [PATCH] python3: Updated to version 3.6.10

Remove backported patches:
025-bpo-34155-Dont-parse-domains-containing-GH-13079-GH-.patch
026-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch

Fixes CVE-2019-16056

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
---
 lang/python/python3-version.mk                |   2 +-
 lang/python/python3/Makefile                  |   4 +-
 ...arse-domains-containing-GH-13079-GH-.patch | 134 ------------------
 ....server-Escape-the-server_title-GH-1.patch |  83 -----------
 4 files changed, 3 insertions(+), 220 deletions(-)
 delete mode 100644 lang/python/python3/patches/025-bpo-34155-Dont-parse-domains-containing-GH-13079-GH-.patch
 delete mode 100644 lang/python/python3/patches/026-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch

diff --git a/lang/python/python3-version.mk b/lang/python/python3-version.mk
index badfa1c495..e850b9a17b 100644
--- a/lang/python/python3-version.mk
+++ b/lang/python/python3-version.mk
@@ -8,7 +8,7 @@
 # Note: keep in sync with setuptools & pip
 PYTHON3_VERSION_MAJOR:=3
 PYTHON3_VERSION_MINOR:=6
-PYTHON3_VERSION_MICRO:=9
+PYTHON3_VERSION_MICRO:=10
 
 PYTHON3_VERSION:=$(PYTHON3_VERSION_MAJOR).$(PYTHON3_VERSION_MINOR)
 
diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile
index 93cc82da8a..32b564cb4d 100644
--- a/lang/python/python3/Makefile
+++ b/lang/python/python3/Makefile
@@ -14,12 +14,12 @@ PYTHON_VERSION:=$(PYTHON3_VERSION)
 PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO)
 
 PKG_NAME:=python3
-PKG_RELEASE:=4
+PKG_RELEASE:=1
 PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)
 
 PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=https://www.python.org/ftp/python/$(PKG_VERSION)
-PKG_HASH:=5e2f5f554e3f8f7f0296f7e73d8600c4e9acbaee6b2555b83206edf5153870da
+PKG_HASH:=0a833c398ac8cd7c5538f7232d8531afef943c60495c504484f308dac3af40de
 
 PKG_LICENSE:=PSF
 PKG_LICENSE_FILES:=LICENSE Modules/_ctypes/libffi_msvc/LICENSE Modules/_ctypes/darwin/LICENSE Modules/_ctypes/libffi/LICENSE Modules/_ctypes/libffi_osx/LICENSE Tools/pybench/LICENSE
diff --git a/lang/python/python3/patches/025-bpo-34155-Dont-parse-domains-containing-GH-13079-GH-.patch b/lang/python/python3/patches/025-bpo-34155-Dont-parse-domains-containing-GH-13079-GH-.patch
deleted file mode 100644
index dfee58a9d4..0000000000
--- a/lang/python/python3/patches/025-bpo-34155-Dont-parse-domains-containing-GH-13079-GH-.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-From 13a19139b5e76175bc95294d54afc9425e4f36c9 Mon Sep 17 00:00:00 2001
-From: "Miss Islington (bot)"
- <31488909+miss-islington@users.noreply.github.com>
-Date: Fri, 9 Aug 2019 08:22:19 -0700
-Subject: [PATCH] bpo-34155: Dont parse domains containing @ (GH-13079)
- (GH-14826)
-
-Before:
-
-        >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
-        (Address(display_name='', username='a', domain='malicious.org'),)
-
-        >>> parseaddr('a@malicious.org@important.com')
-        ('', 'a@malicious.org')
-
-    After:
-
-        >>> email.message_from_string('From: a@malicious.org@important.com', policy=email.policy.default)['from'].addresses
-        (Address(display_name='', username='', domain=''),)
-
-        >>> parseaddr('a@malicious.org@important.com')
-        ('', 'a@')
-
-https://bugs.python.org/issue34155
-(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
-
-Co-authored-by: jpic <jpic@users.noreply.github.com>
----
- Lib/email/_header_value_parser.py                  |  2 ++
- Lib/email/_parseaddr.py                            | 11 ++++++++++-
- Lib/test/test_email/test__header_value_parser.py   | 10 ++++++++++
- Lib/test/test_email/test_email.py                  | 14 ++++++++++++++
- .../2019-05-04-13-33-37.bpo-34155.MJll68.rst       |  1 +
- 5 files changed, 37 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-
-diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
-index 737951e4b1..bc9c9b6241 100644
---- a/Lib/email/_header_value_parser.py
-+++ b/Lib/email/_header_value_parser.py
-@@ -1561,6 +1561,8 @@ def get_domain(value):
-         token, value = get_dot_atom(value)
-     except errors.HeaderParseError:
-         token, value = get_atom(value)
-+    if value and value[0] == '@':
-+        raise errors.HeaderParseError('Invalid Domain')
-     if leader is not None:
-         token[:0] = [leader]
-     domain.append(token)
-diff --git a/Lib/email/_parseaddr.py b/Lib/email/_parseaddr.py
-index cdfa3729ad..41ff6f8c00 100644
---- a/Lib/email/_parseaddr.py
-+++ b/Lib/email/_parseaddr.py
-@@ -379,7 +379,12 @@ class AddrlistClass:
-         aslist.append('@')
-         self.pos += 1
-         self.gotonext()
--        return EMPTYSTRING.join(aslist) + self.getdomain()
-+        domain = self.getdomain()
-+        if not domain:
-+            # Invalid domain, return an empty address instead of returning a
-+            # local part to denote failed parsing.
-+            return EMPTYSTRING
-+        return EMPTYSTRING.join(aslist) + domain
- 
-     def getdomain(self):
-         """Get the complete domain name from an address."""
-@@ -394,6 +399,10 @@ class AddrlistClass:
-             elif self.field[self.pos] == '.':
-                 self.pos += 1
-                 sdlist.append('.')
-+            elif self.field[self.pos] == '@':
-+                # bpo-34155: Don't parse domains with two `@` like
-+                # `a@malicious.org@important.com`.
-+                return EMPTYSTRING
-             elif self.field[self.pos] in self.atomends:
-                 break
-             else:
-diff --git a/Lib/test/test_email/test__header_value_parser.py b/Lib/test/test_email/test__header_value_parser.py
-index a2c900fa7f..02ef3e1006 100644
---- a/Lib/test/test_email/test__header_value_parser.py
-+++ b/Lib/test/test_email/test__header_value_parser.py
-@@ -1418,6 +1418,16 @@ class TestParser(TestParserMixin, TestEmailBase):
-         self.assertEqual(addr_spec.domain, 'example.com')
-         self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com')
- 
-+    def test_get_addr_spec_multiple_domains(self):
-+        with self.assertRaises(errors.HeaderParseError):
-+            parser.get_addr_spec('star@a.star@example.com')
-+
-+        with self.assertRaises(errors.HeaderParseError):
-+            parser.get_addr_spec('star@a@example.com')
-+
-+        with self.assertRaises(errors.HeaderParseError):
-+            parser.get_addr_spec('star@172.17.0.1@example.com')
-+
-     # get_obs_route
- 
-     def test_get_obs_route_simple(self):
-diff --git a/Lib/test/test_email/test_email.py b/Lib/test/test_email/test_email.py
-index f97ccc6711..68d0522799 100644
---- a/Lib/test/test_email/test_email.py
-+++ b/Lib/test/test_email/test_email.py
-@@ -3035,6 +3035,20 @@ class TestMiscellaneous(TestEmailBase):
-         self.assertEqual(utils.parseaddr('<>'), ('', ''))
-         self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '')
- 
-+    def test_parseaddr_multiple_domains(self):
-+        self.assertEqual(
-+            utils.parseaddr('a@b@c'),
-+            ('', '')
-+        )
-+        self.assertEqual(
-+            utils.parseaddr('a@b.c@c'),
-+            ('', '')
-+        )
-+        self.assertEqual(
-+            utils.parseaddr('a@172.17.0.1@c'),
-+            ('', '')
-+        )
-+
-     def test_noquote_dump(self):
-         self.assertEqual(
-             utils.formataddr(('A Silly Person', 'person@dom.ain')),
-diff --git a/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-new file mode 100644
-index 0000000000..50292e29ed
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
-@@ -0,0 +1 @@
-+Fix parsing of invalid email addresses with more than one ``@`` (e.g. a@b@c.com.) to not return the part before 2nd ``@`` as valid email address. Patch by maxking & jpic.
--- 
-2.20.1
-
diff --git a/lang/python/python3/patches/026-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch b/lang/python/python3/patches/026-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch
deleted file mode 100644
index b79f81bd32..0000000000
--- a/lang/python/python3/patches/026-bpo-38243-xmlrpc.server-Escape-the-server_title-GH-1.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From 1698cacfb924d1df452e78d11a4bf81ae7777389 Mon Sep 17 00:00:00 2001
-From: Victor Stinner <vstinner@redhat.com>
-Date: Sat, 28 Sep 2019 09:33:00 +0200
-Subject: [PATCH] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
- (GH-16441)
-
-Escape the server title of xmlrpc.server.DocXMLRPCServer
-when rendering the document page as HTML.
-
-(cherry picked from commit e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa)
----
- Lib/test/test_docxmlrpc.py                       | 16 ++++++++++++++++
- Lib/xmlrpc/server.py                             |  3 ++-
- .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst     |  3 +++
- 3 files changed, 21 insertions(+), 1 deletion(-)
- create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-
-diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
-index 00903337c0..d2adb21af0 100644
---- a/Lib/test/test_docxmlrpc.py
-+++ b/Lib/test/test_docxmlrpc.py
-@@ -1,5 +1,6 @@
- from xmlrpc.server import DocXMLRPCServer
- import http.client
-+import re
- import sys
- from test import support
- threading = support.import_module('threading')
-@@ -193,6 +194,21 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
-              b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
-             response.read())
- 
-+    def test_server_title_escape(self):
-+        # bpo-38243: Ensure that the server title and documentation
-+        # are escaped for HTML.
-+        self.serv.set_server_title('test_title<script>')
-+        self.serv.set_server_documentation('test_documentation<script>')
-+        self.assertEqual('test_title<script>', self.serv.server_title)
-+        self.assertEqual('test_documentation<script>',
-+                self.serv.server_documentation)
-+
-+        generated = self.serv.generate_html_documentation()
-+        title = re.search(r'<title>(.+?)</title>', generated).group()
-+        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
-+        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>', title)
-+        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>', documentation)
-+
- 
- if __name__ == '__main__':
-     unittest.main()
-diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
-index 3e0dca027f..efe5937489 100644
---- a/Lib/xmlrpc/server.py
-+++ b/Lib/xmlrpc/server.py
-@@ -106,6 +106,7 @@ server.handle_request()
- 
- from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
- from http.server import BaseHTTPRequestHandler
-+import html
- import http.server
- import socketserver
- import sys
-@@ -904,7 +905,7 @@ class XMLRPCDocGenerator:
-                                 methods
-                             )
- 
--        return documenter.page(self.server_title, documentation)
-+        return documenter.page(html.escape(self.server_title), documentation)
- 
- class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
-     """XML-RPC and documentation request handler class.
-diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-new file mode 100644
-index 0000000000..98d7be1295
---- /dev/null
-+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
-@@ -0,0 +1,3 @@
-+Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer`
-+when rendering the document page as HTML.
-+(Contributed by Dong-hee Na in :issue:`38243`.)
--- 
-2.20.1
-
-- 
2.30.2