Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
jamadden committed Feb 12, 2024
1 parent af1c3a9 commit bd35572
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 8 deletions.
15 changes: 10 additions & 5 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,11 @@ jobs:
# with it. That means for the bulk of our testing we need to
# stick to 3.9.
# PyPy 7.3.13 started crashing for unknown reasons.
# CAREFUL: Some of the tests are only run on specific versions of Python,
# as dictated by the conditions found below. So when you change a version,
# for example to force a specific patch release, don't forget to change conditions!
# XXX: We could probably make this easier on ourself by adding a specific
# key to the matrix in the version we care about and checking for that matrix key.
python-version: ["3.12.1", "pypy-3.10-v7.3.12", 3.8, 3.9, '3.10', '3.11.8']
os: [macos-latest, ubuntu-latest]
exclude:
Expand Down Expand Up @@ -275,7 +280,7 @@ jobs:
python -m gevent.tests --second-chance $G_USE_COV `(cd src/gevent/tests >/dev/null && ls test__*subprocess*.py)`
- name: "Tests: c-ares resolver"
# This sometimes fails on mac.
if: (matrix.python-version == '3.11') && startsWith(runner.os, 'Linux')
if: (matrix.python-version == '3.11.8') && startsWith(runner.os, 'Linux')
env:
GEVENT_RESOLVER: ares
run: |
Expand All @@ -292,27 +297,27 @@ jobs:
# Run the leaktests;
# This is incredibly important and we MUST have an environment that successfully passes
# these tests.
if: (startsWith(matrix.python-version, '3.11')) && startsWith(runner.os, 'Linux')
if: (startsWith(matrix.python-version, '3.11.8')) && startsWith(runner.os, 'Linux')
env:
GEVENTTEST_LEAKCHECK: 1
run: |
python -m gevent.tests --second-chance --ignore tests_that_dont_do_leakchecks.txt
- name: "Tests: PURE_PYTHON"
# No compiled cython modules on CPython, using the default backend. Get coverage here.
# We should only need to run this for a single version.
if: (matrix.python-version == '3.11') && startsWith(runner.os, 'Linux')
if: (matrix.python-version == '3.11.8') && startsWith(runner.os, 'Linux')
env:
PURE_PYTHON: 1
run: |
python -mgevent.tests --second-chance --coverage
- name: "Tests: libuv"
if: (startsWith(matrix.python-version, '3.11'))
if: (startsWith(matrix.python-version, '3.11.8'))
env:
GEVENT_LOOP: libuv
run: |
python -m gevent.tests --second-chance $G_USE_COV
- name: "Tests: libev-cffi"
if: (matrix.python-version == '3.11') && startsWith(runner.os, 'Linux')
if: (matrix.python-version == '3.11.8') && startsWith(runner.os, 'Linux')
env:
GEVENT_LOOP: libev-cffi
run: |
Expand Down
1 change: 1 addition & 0 deletions docs/changes/2020.bugfix
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@ Other updates for compatibility with the standard library include:
- ``SSLSocket.recv_into`` and ``SSLSocket.read`` no longer require the
buffer to implement ``len`` and now work with buffers whose size is
not 1.
- gh-108310: Fix CVE-2023-40217: Check for & avoid the ssl pre-close flaw.
36 changes: 33 additions & 3 deletions src/gevent/ssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,9 @@


from gevent.socket import socket, timeout_default
from gevent.socket import error as socket_error
from gevent.socket import timeout as _socket_timeout
from gevent._util import copy_globals

socket_error = OSError

from weakref import ref as _wref

Expand Down Expand Up @@ -293,12 +292,43 @@ def __init__(self, sock=None, keyfile=None, certfile=None,
# see if we're connected
try:
self._sock.getpeername()
except socket_error as e:
except OSError as e:
if e.errno != errno.ENOTCONN:
# This file descriptor is hosed, shared or not.
# Clean up.
self.close()
raise
# Next block is originally from
# https://github.com/python/cpython/commit/75a875e0df0530b75b1470d797942f90f4a718d3,
# intended to fix https://github.com/python/cpython/issues/108310
blocking = self.getblocking()
self.setblocking(False)
try:
# We are not connected so this is not supposed to block, but
# testing revealed otherwise on macOS and Windows so we do
# the non-blocking dance regardless. Our raise when any data
# is found means consuming the data is harmless.
notconn_pre_handshake_data = self.recv(1)
except OSError as e: # pylint:disable=redefined-outer-name
# EINVAL occurs for recv(1) on non-connected on unix sockets.
if e.errno not in (errno.ENOTCONN, errno.EINVAL):
raise
notconn_pre_handshake_data = b''
self.setblocking(blocking)
if notconn_pre_handshake_data:
# This prevents pending data sent to the socket before it was
# closed from escaping to the caller who could otherwise
# presume it came through a successful TLS connection.
reason = "Closed before TLS handshake with data in recv buffer."
notconn_pre_handshake_data_error = SSLError(e.errno, reason)
# Add the SSLError attributes that _ssl.c always adds.
notconn_pre_handshake_data_error.reason = reason
notconn_pre_handshake_data_error.library = None
try:
self.close()
except OSError:
pass
raise notconn_pre_handshake_data_error
else:
connected = True
self._connected = connected
Expand Down

0 comments on commit bd35572

Please sign in to comment.