mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-23 09:19:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
cpython/Python
History
Gregory P. Smith 511ca94520
gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#). Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.
2022-09-02 09:35:08 -07:00
..
clinic gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
deepfreeze
frozen_modules
_warnings.c gh-91102: Port 8-argument _warnings.warn_explicit to Argument Clinic (#92891) 2022-07-20 22:24:51 +02:00
adaptive.md Update adaptive.md for inline caching (GH-31817) 2022-03-11 14:29:10 +00:00
asdl.c
ast.c gh-92597: Improve error message for AST nodes with invalid ranges (GH-93398) 2022-06-01 13:51:17 +01:00
ast_opt.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
ast_unparse.c bpo-43224: Implement PEP 646 grammar changes (GH-31018) 2022-03-26 09:55:35 -07:00
bltinmodule.c GH-90230: Add stats to breakdown the origin of calls to PyEval_EvalFrame (GH-93284) 2022-05-27 16:31:41 +01:00
bootstrap_hash.c
ceval.c gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
ceval_gil.c GH-96177: Move GIL and eval breaker code out of ceval.c into ceval_gil.c. (GH-96204) 2022-08-24 14:21:01 +01:00
codecs.c bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
compile.c gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
condvar.h gh-74953: _PyThread_cond_after() uses _PyTime_t (#94056) 2022-06-21 15:45:49 +02:00
context.c Add more stats for freelist use and allocations. (GH-92211) 2022-05-03 16:40:24 -06:00
dtoa.c bpo-45412: Add _PY_SHORT_FLOAT_REPR macro (GH-31171) 2022-02-23 18:16:23 +01:00
dup2.c gh-95174: Handle missing dup() and constants in WASI (GH-95229) 2022-07-26 11:16:51 +02:00
dynamic_annotations.c
dynload_hpux.c
dynload_shlib.c
dynload_stub.c
dynload_win.c gh-92536: PEP 623: Remove wstr and legacy APIs from Unicode (GH-92537) 2022-05-12 14:48:38 +09:00
emscripten_signal.c bpo-47176: Interrupt handling for wasm32-emscripten builds without pthreads (GH-32209) 2022-04-03 22:58:52 +02:00
errors.c gh-94673: Add _PyStaticType_InitBuiltin() (#95152) 2022-07-25 12:47:31 -06:00
fileutils.c gh-95174: Handle missing dup() and constants in WASI (GH-95229) 2022-07-26 11:16:51 +02:00
formatter_unicode.c gh-89653: Use int type for Unicode kind (#92704) 2022-05-13 12:41:05 +02:00
frame.c GH-96237: Allow non-functions as reference-holder in frames. (GH-96238) 2022-08-25 10:16:55 +01:00
frozen.c bpo-46748: Don't import <stdbool.h> in public headers (GH-31553) 2022-02-25 09:25:54 +01:00
frozenmain.c gh-93103: Parser uses PyConfig.parser_debug instead of Py_DebugFlag (#93106) 2022-05-24 22:35:08 +02:00
future.c
getargs.c GH-95909: Make _PyArg_Parser initialization thread safe (GH-95958) 2022-08-16 11:22:14 -07:00
getcompiler.c
getcopyright.c
getopt.c gh-90300: split --help output into separate options (#30331) 2022-06-01 05:50:01 -04:00
getplatform.c
getversion.c
hamt.c GH-93207: Remove HAVE_STDARG_PROTOTYPES configure check for stdarg.h (#93215) 2022-05-27 13:30:45 +02:00
hashtable.c
import.c gh-93741: Add private C API _PyImport_GetModuleAttrString() (GH-93742) 2022-06-14 07:15:26 +03:00
importdl.c bpo-47162: Add call trampoline to mitigate bad fpcasts on Emscripten (GH-32189) 2022-03-30 12:28:33 -07:00
importdl.h bpo-47162: Add call trampoline to mitigate bad fpcasts on Emscripten (GH-32189) 2022-03-30 12:28:33 -07:00
initconfig.c gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
makeopcodetargets.py gh-94216: add pseudo instructions to the dis/opcodes modules (GH-94241) 2022-07-01 15:33:35 +01:00
marshal.c gh-78214: marshal: Stabilize FLAG_REF usage (GH-8226) 2022-05-04 10:01:15 +09:00
modsupport.c
mysnprintf.c
mystrtoul.c
opcode_targets.h gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
pathconfig.c gh-91985: Ensure in-tree builds override platstdlib_dir in every path calculation (GH-93641) 2022-06-16 22:41:57 +01:00
preconfig.c gh-77782: Deprecate global configuration variable (#93943) 2022-06-17 16:12:00 +02:00
pyarena.c
pyctype.c
pyfpe.c
pyhash.c
pylifecycle.c gh-96143: Allow Linux perf profiler to see Python calls (GH-96123) 2022-08-30 10:11:18 -07:00
pymath.c
pystate.c GH-96071: fix deadlock in PyGILState_Ensure (GH-96124) 2022-08-19 12:43:00 -07:00
pystrcmp.c
pystrhex.c gh-91768: C API no longer use "const PyObject*" type (#91769) 2022-04-21 22:07:19 +02:00
pystrtod.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
Python-ast.c gh-95185: Check recursion depth in the AST constructor (#95186) 2022-07-24 15:58:52 +01:00
Python-tokenize.c gh-90928: Statically Initialize the Keywords Tuple in Clinic-Generated Code (gh-95860) 2022-08-11 15:25:49 -06:00
pythonrun.c gh-92651: Remove the Include/token.h header file (#92652) 2022-05-11 23:22:50 +02:00
pytime.c gh-74953: Add _PyTime_FromMicrosecondsClamp() function (#93942) 2022-06-17 16:11:13 +02:00
README
specialize.c gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
stdlib_module_names.h gh-93243: Make smtpd private before porting its users (GH-93246) 2022-08-05 17:41:29 -07:00
structmember.c
suggestions.c gh-93937, C API: Move PyFrame_GetBack() to Python.h (#93938) 2022-06-19 12:02:33 +02:00
symtable.c bpo-46765: Replace Locally Cached Strings with Statically Initialized Objects (gh-31366) 2022-02-22 17:23:51 -07:00
sysmodule.c gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
thread.c gh-96125: Fix sys.thread_info.name on pthread platforms (GH-96126) 2022-08-19 12:41:25 -07:00
thread_nt.h gh-88750: On Windows, PyThread_acquire_lock() no longer checks for NULL (#92586) 2022-05-10 02:00:38 +02:00
thread_pthread.h gh-95174: Add pthread stubs for WASI (GH-95234) 2022-07-27 20:28:06 +02:00
thread_pthread_stubs.h gh-95174: Add pthread stubs for WASI (GH-95234) 2022-07-27 20:28:06 +02:00
traceback.c gh-93883: elide traceback indicators when possible (#93994) 2022-07-11 07:40:53 +01:00

README 

Miscellaneous source files for the main Python shared library