Skip to content
Snippets Groups Projects
Unverified Commit f8b71da9 authored by Gregory P. Smith's avatar Gregory P. Smith Committed by GitHub
Browse files

[3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500)

Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499

 aka 511ca945

Signed-off-by: default avatarChristian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: default avatarGregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
parent 57116d56
Branches
Tags
No related merge requests found
Showing
with 523 additions and 19 deletions
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment