This release is a security fix for the PyString::from_object method, which passed &str data to the Python C API without checking for a terminating nul byte. All historical PyO3 versions are affected, and we recommend you upgrade if you are using PyString::from_object. Thank you to @vthib for the report and @Dr-Emann for the fix. A RUSTSEC advisory will be published shortly.
Aside from the security fix, this release contains a number of other non-breaking additions:
- An
abi3-py313feature to support compiling with the Python 3.13 stable ABI. PyAnyMethods::getattr_optto get optional attributes without paying the cost of a Python exception when the attribute in question does not exist.- Constructor for
PyInt::new. with_critical_section2for locking two objects at the same time on the free-threaded build.- Fix for a PyO3 0.24.0 regression with
Option<&str>andOption<&T>(whereT: PyClass) function arguments no longer being permitted
There are also a few other small bug fixes for edge cases, mostly related to compile errors from PyO3's macro code.
Thank you to the following contributors for the improvements:
@bschoenmaeckers
@davidhewitt
@Dr-Emann
@emmagordon
@epontan
@Icxolu
@IvanIsCoding
@jelmer
@jonaspleyer
@ngoldbaum
@Owen-CH-Leung
@Tpt
@Trolldemorted
@XuehaiPan