2.3.3

* Fix: patterns for pypy2.*/pypy3.* versions

* Shrink pypy patterns

* Fix extglob pattern

* Fix: no regex-charclasses like '[:digit:]' in 'extglob', needs also double-activation for parse/runtime stage

Co-authored-by: native-api <vano@mail.mipt.ru>
Co-authored-by: Bjoern Schneider <bjoern.schneider@scribos.com>

CHANGELOG.md

@@ -1,5 +1,16 @@
 ## Version History
 
+## Release 2.3.3
+
+* Use version sort in `pyenv versions` (#2405)
+* Add CPython 3.11.0b4 (#2411)
+* Python-build: Replace deprecated git protocol use with https in docs (#2413)
+* Fix relative path traversal due to using version string in path (#2412)
+* Allow pypy2 and pypy3 patching (#2421, #2419)
+* Add CPython 3.11.0b5 (#2420)
+* Add GraalPython 22.2.0 (#2425)
+* Add CPython 3.10.6 (#2428)
+
 ## Release 2.3.2
 
 * Add CPython 3.11.0b2 (#2380)

CONTRIBUTING.md

@@ -1,7 +1,7 @@
 General guidance
 ================
 
-* The usual principes of respecting existing conventions and making sure that your changes
+* The usual principles of respecting existing conventions and making sure that your changes
   are in line with the overall product design apply when contributing code to Pyenv.
 
 * We are limited to Bash 3.2 features

libexec/pyenv---version

@@ -12,7 +12,7 @@
 set -e
 [ -n "$PYENV_DEBUG" ] && set -x
 
-version="2.3.2"
+version="2.3.3"
 git_revision=""
 
 if cd "${BASH_SOURCE%/*}" 2>/dev/null && git remote -v 2>/dev/null | grep -q pyenv; then

libexec/pyenv-version-file-read

@@ -11,9 +11,16 @@ if [ -s "$VERSION_FILE" ]; then
   IFS="${IFS}"$'\r'
   sep=
   while read -n 1024 -r version _ || [[ $version ]]; do
-      [[ -z $version || $version == \#* ]] && continue
-      printf "%s%s" "$sep" "$version"
-      sep=:
+    if [[ -z $version || $version == \#* ]]; then
+      # Skip empty lines and comments
+      continue
+    elif [ "$version" = ".." ] || [[ $version == */* ]]; then
+      # The version string is used to construct a path and we skip dubious values.
+      # This prevents issues such as path traversal (CVE-2022-35861).
+      continue
+    fi
+    printf "%s%s" "$sep" "$version"
+    sep=:
   done <"$VERSION_FILE"
   [[ $sep ]] && { echo; exit; }
 fi

libexec/pyenv-versions

@@ -123,7 +123,19 @@ if [ -n "$include_system" ] && \
 fi
 
 shopt -s dotglob nullglob
-for path in "$versions_dir"/*; do
+versions_dir_entries=("$versions_dir"/*)
+if sort --version-sort </dev/null >/dev/null 2>&1; then
+    # system sort supports version sorting
+    OLDIFS="$IFS"
+    IFS=$'\n'
+    versions_dir_entries=($(
+        printf "%s\n" "${versions_dir_entries[@]}" |
+        sort --version-sort
+    ))
+    IFS="$OLDIFS"
+fi
+
+for path in "${versions_dir_entries[@]}"; do
   if [ -d "$path" ]; then
     if [ -n "$skip_aliases" ] && [ -L "$path" ]; then
       target="$(realpath "$path")"

plugins/python-build/README.md

@@ -24,7 +24,7 @@ Installing python-build as a standalone program will give you access to the
 `python-build` command for precise control over Python version installation. If you
 have pyenv installed, you will also be able to use the `pyenv install` command.
 
-    git clone git://github.com/pyenv/pyenv.git
+    git clone https://github.com/pyenv/pyenv.git
     cd pyenv/plugins/python-build
     ./install.sh
 

plugins/python-build/bin/python-build

@@ -1637,10 +1637,19 @@ build_package_auto_tcltk() {
   fi
 }
 
+# extglob must be set at parse time, not at runtime
+# https://stackoverflow.com/questions/49283740/bash-script-throws-syntax-errors-when-the-extglob-option-is-set-inside-a-subsh
+#
+# The function is *parsed* with "extglob" only if an outer `shopt -s exglob`
+# exists; at *runtime* you still need to activate it *within* the function.
+#
+shopt -s extglob
 apply_python_patch() {
   local patchfile
+  # needed at runtime
+  shopt -s extglob
   case "$1" in
-  Python-* | jython-* | pypy-* | stackless-* )
+  Python-* | jython-* | pypy-* | pypy[0-9].+([0-9])-* | stackless-* )
     patchfile="$(mktemp "${TMP}/python-patch.XXXXXX")"
     cat "${2:--}" >"$patchfile"
 
@@ -1649,7 +1658,9 @@ apply_python_patch() {
     patch -p$striplevel --force -i "$patchfile"
     ;;
   esac
+  shopt -u extglob
 }
+shopt -u extglob
 
 build_package_symlink_version_suffix() {
   if [[ "$CONFIGURE_OPTS $PYTHON_CONFIGURE_OPTS" == *"--enable-framework"* ]]; then

plugins/python-build/share/python-build/3.10.6

@@ -0,0 +1,9 @@
+prefer_openssl11
+export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
+install_package "openssl-1.1.1o" "https://www.openssl.org/source/openssl-1.1.1o.tar.gz#9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f" mac_openssl --if has_broken_mac_openssl
+install_package "readline-8.1" "https://ftpmirror.gnu.org/readline/readline-8.1.tar.gz#f8ceb4ee131e3232226a17f51b164afc46cd0b9e6cef344be87c65962cb82b02" mac_readline --if has_broken_mac_readline
+if has_tar_xz_support; then
+    install_package "Python-3.10.6" "https://www.python.org/ftp/python/3.10.6/Python-3.10.6.tar.xz#f795ff87d11d4b0c7c33bc8851b0c28648d8a4583aa2100a98c22b4326b6d3f3" standard verify_py310 copy_python_gdb ensurepip
+else
+    install_package "Python-3.10.6" "https://www.python.org/ftp/python/3.10.6/Python-3.10.6.tgz#848cb06a5caa85da5c45bd7a9221bb821e33fc2bdcba088c127c58fad44e6343" standard verify_py310 copy_python_gdb ensurepip
+fi

plugins/python-build/share/python-build/3.11.0b5

@@ -3,7 +3,7 @@ export PYTHON_BUILD_CONFIGURE_WITH_OPENSSL=1
 install_package "openssl-1.1.1n" "https://www.openssl.org/source/openssl-1.1.1n.tar.gz#40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" mac_openssl --if has_broken_mac_openssl
 install_package "readline-8.0" "https://ftpmirror.gnu.org/readline/readline-8.0.tar.gz#e339f51971478d369f8a053a330a190781acb9864cf4c541060f12078948e461" mac_readline --if has_broken_mac_readline
 if has_tar_xz_support; then
-    install_package "Python-3.11.0b3" "https://www.python.org/ftp/python/3.11.0/Python-3.11.0b3.tar.xz#c9b99f5315ea30f8e9fcbce6807a3739e875480d29124e6d9940f6fabcb7c902" standard verify_py311 copy_python_gdb ensurepip
+    install_package "Python-3.11.0b5" "https://www.python.org/ftp/python/3.11.0/Python-3.11.0b5.tar.xz#3810bd22f7dc34a99c2a2eb4b85264a4df4f05ef59c4e0ccc2ea82ee9c491698" standard verify_py311 copy_python_gdb ensurepip
 else
-    install_package "Python-3.11.0b3" "https://www.python.org/ftp/python/3.11.0/Python-3.11.0b3.tgz#f52b738043251c88e3d6bb86e30cbf0e1098470a06b9d49feb31f145af5e8149" standard verify_py311 copy_python_gdb ensurepip
+    install_package "Python-3.11.0b5" "https://www.python.org/ftp/python/3.11.0/Python-3.11.0b5.tgz#3f7d1a4ab0e64425f4ffd92d49de192ad2ee1c62bc52e3877e9f7b254c702e60" standard verify_py311 copy_python_gdb ensurepip
 fi

plugins/python-build/share/python-build/graalpython-22.2.0

@@ -0,0 +1,48 @@
+# Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+# of the Software, and to permit persons to whom the Software is furnished to do
+# so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+VERSION='22.2.0'
+BUILD=''
+
+case "$(pypy_architecture 2>/dev/null || true)" in
+"linux64" )
+  graalpython_arch="linux"
+  checksum="75a7e5d7afc158169fd87df9c69c3801aa0293dd727ba09facad6b01e1b6dee5"
+  ;;
+"osx64" )
+  graalpython_arch="macos"
+  checksum="575d78ae2be8d4ce4adbc9c61229b6f1271f557f0f3ec410a494de7b29986dd7"
+  ;;
+* )
+  { echo
+    colorize 1 "ERROR"
+    echo ": No binary distribution of GraalPython is available for $(pypy_architecture 2>/dev/null || true)."
+    echo
+  } >&2
+  exit 1
+  ;;
+esac
+
+if [ -n "${BUILD}" ]; then
+  urlprefix="https://github.com/graalvm/graalvm-ce-dev-builds/releases/download/${VERSION}-${BUILD}"
+else
+  urlprefix="https://github.com/oracle/graalpython/releases/download/vm-${VERSION}"
+fi
+
+install_package "graalpython-${VERSION}${BUILD}" "${urlprefix}/graalpython-${VERSION}-${graalpython_arch}-amd64.tar.gz#${checksum}" "graalpython" ensurepip

test/version-file-read.bats

@@ -82,3 +82,15 @@ IN
   run pyenv-version-file-read my-version
   assert_success "3.9.3:3.8.9:2.7.16"
 }
+
+@test "skips relative path traversal" {
+  cat > my-version <<IN
+3.9.3
+3.8.9
+  ..
+./*
+2.7.16
+IN
+  run pyenv-version-file-read my-version
+  assert_success "3.9.3:3.8.9:2.7.16"
+}

test/versions.bats

@@ -17,6 +17,14 @@ stub_system_python() {
   touch "$stub" && chmod +x "$stub"
 }
 
+create_executable() {
+  local name="$1"
+  local bin="${PYENV_TEST_DIR}/bin"
+  mkdir -p "$bin"
+  sed -Ee '1s/^ +//' > "${bin}/$name"
+  chmod +x "${bin}/$name"
+}
+
 @test "no versions installed" {
   stub_system_python
   assert [ ! -d "${PYENV_ROOT}/versions" ]
@@ -161,3 +169,44 @@ OUT
   run pyenv-versions --bare
   assert_success ".venv"
 }
+
+@test "sort supports version sorting" {
+  create_version "1.9.0"
+  create_version "1.53.0"
+  create_version "1.218.0"
+  create_executable sort <<SH
+#!$BASH
+if [ "\$1" == "--version-sort" ]; then
+  echo "${PYENV_ROOT}/versions/1.9.0"
+  echo "${PYENV_ROOT}/versions/1.53.0"
+  echo "${PYENV_ROOT}/versions/1.218.0"
+else exit 1
+fi
+SH
+
+  run pyenv-versions --bare
+  assert_success
+  assert_output <<OUT
+1.9.0
+1.53.0
+1.218.0
+OUT
+}
+
+@test "sort doesn't support version sorting" {
+  create_version "1.9.0"
+  create_version "1.53.0"
+  create_version "1.218.0"
+  create_executable sort <<SH
+#!$BASH
+exit 1
+SH
+
+  run pyenv-versions --bare
+  assert_success
+  assert_output <<OUT
+1.218.0
+1.53.0
+1.9.0
+OUT
+}