Co-authored-by: Thomas Grainger <tagrain@gmail.com>
Co-authored-by: Guido van Rossum <gvanrossum@gmail.com>
(cherry picked from commit 6281affe)

Co-authored-by: Hendrik Makait <hendrik.makait@gmail.com>

(cherry picked from commit 50a70a08)

Co-authored-by: Mark Shannon <mark@hotpy.org>

(cherry picked from commit 88a7f661)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>

A regression would still absolutely fail and even a flaky pass isn't
harmful as it'd fail most of the time across our N system test runs.

Windows has a low resolution timer and CI systems are prone to odd
timing so this just gives more leeway to avoid flakiness.
(cherry picked from commit 11e3548f)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

Co-authored-by: Brandt Bucher <brandtbucher@gmail.com>
(cherry picked from commit aa3b4cf7)

(cherry picked from commit b9634ac7)

Co-authored-by: philg314 <110174000+philg314@users.noreply.github.com>

(cherry picked from commit 3adb4d86)

Co-authored-by: Michael Droettboom <mdboom@gmail.com>

Co-authored-by: Michael Droettboom <mdboom@gmail.com>

(cherry picked from commit 1402d2ce)

Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>

Co-authored-by: Mark Dickinson <dickinsm@gmail.com>
Co-authored-by: Sergey B Kirpichev <skirpichev@gmail.com>

Co-authored-by: Michael Droettboom <mdboom@gmail.com>

Fix the faulthandler implementation of faulthandler.register(signal,
chain=True) if the sigaction() function is not available: don't call
the previous signal handler if it's NULL.
(cherry picked from commit c580a81a)

Co-authored-by: Victor Stinner <vstinner@python.org>

This makes tokenizer.c:valid_utf8 match stringlib/codecs.h:decode_utf8.

It also fixes an off-by-one error introduced in 3.10 for the line number when the tokenizer reports bad UTF8.
(cherry picked from commit 8bc356a7)

Co-authored-by: Michael Droettboom <mdboom@gmail.com>

(cherry picked from commit 4114bcc9)

Co-authored-by: Steve Dower <steve.dower@python.org>

There were two specific areas not covered:

- %(name) syntax
- %*s syntax

Automerge-Triggered-By: GH:iritkatriel
(cherry picked from commit dde15f58)

Co-authored-by: Michael Droettboom <mdboom@gmail.com>

(cherry picked from commit 2fd7246e)

Co-authored-by: Nikita Sobolev <mail@sobolevn.me>

(cherry picked from commit 05692c67)

Co-authored-by: Michael Droettboom <mdboom@gmail.com>

(cherry picked from commit 67444902)

Co-authored-by: Kumar Aditya <59607654+kumaraditya303@users.noreply.github.com>

(cherry picked from commit 95e271b2)

Co-authored-by: Mark Shannon <mark@hotpy.org>

This doesn't happen naturally, but is allowed by the ASDL and compiler.
We don't want to change ASDL for backward compatibility reasons
(GH-57645, GH-92987)
(cherry picked from commit 200c9a8d)

Co-authored-by: Shantanu <12621235+hauntsaninja@users.noreply.github.com>

Co-authored-by: Shantanu <12621235+hauntsaninja@users.noreply.github.com>

gh-96559: Fixes Windows launcher handling of defaults using old-style tags, and adds What's New section (GH-96595)

(cherry picked from commit 80a9bd2e)

Co-authored-by: Steve Dower <steve.dower@python.org>

This Monty Python reference is of-its-time. It could seem inappropriate in the context of today's sensibilities around mental health.

Automerge-Triggered-By: GH:iritkatriel
(cherry picked from commit c4999f26)

Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>

(cherry picked from commit 991b3712)

Co-authored-by: Ned Deily <nad@python.org>

(cherry picked from commit 9e556857)

Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>

Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)

The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.

The justification for the current check. The C code check is:
```c
max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10
```

In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$

From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
(cherry picked from commit b1261968)

Co-authored-by: Mark Dickinson <dickinsm@gmail.com>

accross -> across
(cherry picked from commit 6adb89f5)

Co-authored-by: Ikko Ashimine <eltociear@gmail.com>

Per mdickinson@'s comment on the main branch PR.
(cherry picked from commit 69bb83c2)

Co-authored-by: Gregory P. Smith <greg@krypto.org>

(cherry picked from commit af6359dd)

Co-authored-by: Mehrdad Moradizadeh <mhrddmoradii@gmail.com>

(cherry picked from commit 837ce646)

Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>

Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>

Co-authored-by: Jelle Zijlstra <jelle.zijlstra@gmail.com>
Co-authored-by: Martin Panter <vadmium@users.noreply.github.com>
Co-authored-by: Terry Jan Reedy <tjreedy@udel.edu>
(cherry picked from commit ccce9b77)

Co-authored-by: Cheryl Sabella <cheryl.sabella@gmail.com>

Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499

 aka 511ca945

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).

Also rearrange some items in the list.

Co-authored-by: Thomas Grainger <tagrain@gmail.com>
(cherry picked from commit 2a9e4e4d)

Co-authored-by: siph <42943030+siphc@users.noreply.github.com>

Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
(cherry picked from commit 91f40f3f)

Co-authored-by: Erlend E. Aasland <erlend.aasland@innova.no>

(cherry picked from commit a91f2557)

Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>

(cherry picked from commit f7e7bf16)

Co-authored-by: Erlend E. Aasland <erlend.aasland@protonmail.com>