Skip to content
Snippets Groups Projects
Unverified Commit 15ec1afd authored by Gregory P. Smith's avatar Gregory P. Smith Committed by GitHub
Browse files

[3.7] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (GH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
parent d5fe9951
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment