-
- Downloads
[3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (GH-96504)
Converting between `int` and `str` in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a `ValueError` if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735). This new limit can be configured or disabled by environment variable, command line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length Limitation` documentation. The default limit is 4300 digits in string form. Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
Showing
- Doc/data/python3.7m.abi 4 additions, 0 deletionsDoc/data/python3.7m.abi
- Doc/library/functions.rst 8 additions, 0 deletionsDoc/library/functions.rst
- Doc/library/json.rst 11 additions, 0 deletionsDoc/library/json.rst
- Doc/library/stdtypes.rst 159 additions, 0 deletionsDoc/library/stdtypes.rst
- Doc/library/sys.rst 46 additions, 13 deletionsDoc/library/sys.rst
- Doc/library/test.rst 10 additions, 0 deletionsDoc/library/test.rst
- Doc/using/cmdline.rst 13 additions, 0 deletionsDoc/using/cmdline.rst
- Doc/whatsnew/3.7.rst 13 additions, 2 deletionsDoc/whatsnew/3.7.rst
- Include/internal/pycore_long.h 49 additions, 0 deletionsInclude/internal/pycore_long.h
- Include/internal/pystate.h 6 additions, 0 deletionsInclude/internal/pystate.h
- Lib/test/support/__init__.py 10 additions, 0 deletionsLib/test/support/__init__.py
- Lib/test/test_ast.py 8 additions, 0 deletionsLib/test/test_ast.py
- Lib/test/test_cmd_line.py 34 additions, 0 deletionsLib/test/test_cmd_line.py
- Lib/test/test_compile.py 13 additions, 0 deletionsLib/test/test_compile.py
- Lib/test/test_decimal.py 18 additions, 0 deletionsLib/test/test_decimal.py
- Lib/test/test_int.py 196 additions, 0 deletionsLib/test/test_int.py
- Lib/test/test_json/test_decode.py 8 additions, 0 deletionsLib/test/test_json/test_decode.py
- Lib/test/test_sys.py 8 additions, 2 deletionsLib/test/test_sys.py
- Lib/test/test_xmlrpc.py 10 additions, 0 deletionsLib/test/test_xmlrpc.py
- Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst 14 additions, 0 deletions.../Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst
Loading
Please register or sign in to comment