mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-23 09:19:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
cpython/Lib
History
Gregory P. Smith 8f0fa4bd10
[3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96501) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499 aka 511ca94520

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
2022-09-02 09:51:49 -07:00
..
asyncio bpo-45924: Fix asyncio incorrect traceback when future's exception is raised multiple times (GH-30274) (#94748) 2022-07-11 15:38:27 +01:00
collections Fix minor details in the Counter docs (GH-31029) (GH-31072) 2022-02-01 23:28:07 -06:00
concurrent [3.10] gh-95166: cancel map waited on future on timeout (GH-95169) (GH-95375) 2022-07-29 14:36:58 +02:00
ctypes [3.10] bpo-46913: Fix test_ctypes, test_hashlib, test_faulthandler on UBSan (GH-31675) 2022-03-04 01:12:06 +01:00
curses
dbm
distutils [3.10] Fix typos in the Lib directory (GH-28775) (GH-28804) 2021-10-07 11:49:47 -04:00
email gh-95087: Fix IndexError in parsing invalid date in the email module (GH-95201) 2022-07-24 23:39:00 -07:00
encodings [3.10] bpo-45467: Fix IncrementalDecoder and StreamReader in the "raw-unicode-escape" codec (GH-28944) (GH-28952) 2021-10-14 21:23:39 +03:00
ensurepip gh-95609: update bundled pip to 22.2.2 (gh-95610) 2022-08-03 13:11:41 -07:00
html Add source for character mappings (GH-92014) (#92389) 2022-05-06 12:58:16 +02:00
http Run Tools/scripts/reindent.py (#94225) (#94291) 2022-06-26 12:39:16 +02:00
idlelib [3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96501) 2022-09-02 09:51:49 -07:00
importlib gh-93353: Fix importlib.resources._tempfile() finalizer (GH-93377) 2022-06-13 10:52:50 -07:00
json bpo-46001: Change OverflowError to RecursionError in JSON library docstrings (GH-29943) 2021-12-07 02:20:10 -08:00
lib2to3 bpo-46542: test_lib2to3 uses support.infinite_recursion() (GH-31035) 2022-01-31 12:03:40 -08:00
logging [3.10] gh-89047: Fix msecs computation so you never end up with 1000 msecs. (GH-96340) (GH-96342) 2022-08-27 15:10:17 +01:00
msilib [3.10] [codemod] Fix non-matching bracket pairs (GH-28473) (GH-28511) 2021-09-29 12:36:59 +01:00
multiprocessing GH-83658: make multiprocessing.Pool raise an exception if maxtasksperchild is not None or a positive int (GH-93364) (GH-93924) 2022-06-17 23:32:15 +01:00
pydoc_data Python 3.10.6 2022-08-01 21:25:27 +01:00
site-packages
sqlite3 [3.10] gh-79009: sqlite3.iterdump now correctly handles tables with autoincrement (GH-9621) (#94015) 2022-06-20 02:14:57 +02:00
test [3.10] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96501) 2022-09-02 09:51:49 -07:00
tkinter bpo-13553: Document tkinter.Tk args (GH-4786) 2022-05-09 21:27:37 -07:00
turtledemo bpo-44254: On Mac, remove disfunctional colors from turtledemo buttons (GH-26448) 2021-05-29 03:34:57 -04:00
unittest gh-96021: Explicitly tear down the IsolatedAsyncioTestCase loop in tests (GH-96135) (GH-96235) 2022-08-28 08:35:39 +03:00
urllib bpo-42627: Fix incorrect parsing of Windows registry proxy settings (GH-26307) 2022-05-12 01:21:39 +01:00
venv [3.10] bpo-43749: Ensure current exe is copied when using venv on windows (GH-25216) (GH-30034) 2021-12-10 17:51:42 +00:00
wsgiref [3.10] Fix typos in the Lib directory (GH-28775) (GH-28804) 2021-10-07 11:49:47 -04:00
xml gh-96175: add missing self._localName assignment in xml.dom.minidom.Attr (GH-96176) 2022-08-23 09:42:10 -07:00
xmlrpc bpo-45386: Handle strftime's ValueError graciously in xmlrpc.client (GH-28765) (GH-28934) 2021-10-13 19:59:45 +02:00
zoneinfo [3.10] Fix typos in the Lib directory (GH-28775) (GH-28804) 2021-10-07 11:49:47 -04:00
__future__.py
__phello__.foo.py
_aix_support.py
_bootsubprocess.py
_collections_abc.py [3.10] replace self param with more appropriate cls in classmethods (GH-31402) (GH-31446) 2022-02-20 15:45:13 +02:00
_compat_pickle.py
_compression.py
_markupbase.py
_osx_support.py [3.10] [codemod] Fix non-matching bracket pairs (GH-28473) (GH-28511) 2021-09-29 12:36:59 +01:00
_py_abc.py
_pydecimal.py bpo-43475: Fix the Python implementation of hash of Decimal NaN (GH-26679) 2021-06-13 07:05:28 -07:00
_pyio.py bpo-25415: Remove confusing sentence from IOBase docstrings (PR-31631) 2022-03-04 10:33:57 -08:00
_sitebuiltins.py
_strptime.py
_threading_local.py
_weakrefset.py bpo-44962: Fix a race in WeakKeyDict, WeakValueDict and WeakSet when two threads attempt to commit the last pending removal (GH-27921) 2021-08-28 11:09:21 -07:00
abc.py Clarify the order of a stacked abstractmethod (GH-26892) 2021-06-27 11:50:38 -07:00
aifc.py
antigravity.py
argparse.py gh-91832: Add 'required' attr to argparse.Action repr (GH-91841) 2022-04-28 08:27:17 -07:00
ast.py [3.10] bpo-44559: [Enum] revert enum module to 3.9 (GH-27010) 2021-07-03 21:08:42 -07:00
asynchat.py [3.10] bpo-47022: Document asynchat, asyncore and smtpd removals in 3.12 (GH-31891) (#31997) 2022-03-20 22:38:01 +02:00
asyncore.py [3.10] bpo-47022: Document asynchat, asyncore and smtpd removals in 3.12 (GH-31891) (#31997) 2022-03-20 22:38:01 +02:00
base64.py
bdb.py fix docstring typo in bdb.py (GH-22323) (#26179) 2021-05-17 00:42:56 +01:00
binhex.py
bisect.py
bz2.py bpo-45475: Revert __iter__ optimization for GzipFile, BZ2File, and LZMAFile. (GH-29016) 2021-10-18 20:15:48 -07:00
calendar.py bpo-46266: Add calendar day of week constants to __all__ (GH-30412) (GH-30424) 2022-01-23 02:00:11 +01:00
cgi.py
cgitb.py bpo-44740: Lowercase "internet" and "web" where appropriate. (GH-27378) (GH-27380) 2021-07-27 00:34:32 +02:00
chunk.py
cmd.py
code.py
codecs.py
codeop.py [3.10] bpo-46521: Fix codeop to use a new partial-input mode of the parser (GH-31010). (GH-31213) 2022-02-08 12:25:15 +00:00
colorsys.py
compileall.py Fix missing space with help for -m compileall -o (GH-27591) (GH-28430) 2021-09-18 01:02:32 +02:00
configparser.py [3.10] bpo-45173: Note configparser deprecations will be removed in 3.12 (GH-31084) 2022-02-02 10:41:30 -08:00
contextlib.py [3.10] bpo-44594: fix (Async)ExitStack handling of __context__ (gh-27089) (GH-28730) 2021-10-04 23:21:34 -07:00
contextvars.py
copy.py gh-90494: Reject 6th element of the __reduce__() tuple (GH-93609) (GH-93632) 2022-06-10 15:59:39 +02:00
copyreg.py bpo-44676: Serialize the union type using only public API (GH-27323) (GH-27340) 2021-07-24 22:35:33 +03:00
cProfile.py
crypt.py gh-95231: Disable md5 & crypt modules if FIPS is enabled (GH-94742) 2022-08-30 00:59:56 -07:00
csv.py bpo-43625: Enhance csv sniffer has_headers() to be more accurate (GH-26939) (GH-27494) 2021-07-30 19:30:09 +02:00
dataclasses.py bpo-45663: Fix is_dataclass() for dataclasses which are subclasses of types.GenericAlias (GH-29294) 2021-12-05 13:04:29 -08:00
datetime.py Check result of utc_to_seconds and skip fold probe in pure Python (GH-91582) 2022-05-14 08:01:53 -07:00
decimal.py
difflib.py Correct method name typo (GH-91970) 2022-04-27 15:19:43 -07:00
dis.py [3.10] bpo-45757: Fix bug where dis produced an incorrect oparg on EXTENDED_ARG before a no-arg opcode (GH-29480) (GH-29506) 2021-11-09 22:05:30 +00:00
doctest.py [3.10] bpo-28249: fix lineno location for empty DocTest instances (GH-30498) (#92981) 2022-05-19 21:16:57 +02:00
enum.py bpo-44559: [Enum] restore fixes lost in 3.9 reversion (GH-29114) 2021-10-20 19:48:37 -07:00
filecmp.py bpo-42958: Improve description of shallow= in filecmp.cmp docs (GH-27166) 2021-08-04 13:03:33 -07:00
fileinput.py gh-93157: Fix fileinput didn't support errors in inplace mode (GH-95128) 2022-07-23 20:02:40 -07:00
fnmatch.py gh-89973: Fix re.error in the fnmatch module. (GH-93072) 2022-06-05 02:39:03 -07:00
fractions.py
ftplib.py
functools.py [3.10] bpo-46032: Check types in singledispatch's register() at declaration time (GH-30050) (GH-30254) 2021-12-25 16:12:32 +02:00
genericpath.py
getopt.py
getpass.py update docstring for win_getpass to reflect code changes (GH-24967) 2021-05-04 00:08:09 -07:00
gettext.py
glob.py bpo-44482: Fix very unlikely resource leak in glob in non-CPython implementations (GH-26843) (GH-26872) 2021-06-23 13:28:08 +03:00
graphlib.py [3.10] [codemod] Fix non-matching bracket pairs (GH-28473) (GH-28511) 2021-09-29 12:36:59 +01:00
gzip.py bpo-45475: Revert __iter__ optimization for GzipFile, BZ2File, and LZMAFile. (GH-29016) 2021-10-18 20:15:48 -07:00
hashlib.py
heapq.py
hmac.py
imaplib.py
imghdr.py
imp.py
inspect.py gh-84753: Make inspect.iscoroutinefunction() work with AsyncMock (GH-94050) (GH-94461) 2022-06-30 20:02:15 +02:00
io.py
ipaddress.py bpo-46415: Use f-string for ValueError in ipaddress.ip_{address,network,interface} helper functions (GH-30642) 2022-05-03 05:37:17 -07:00
keyword.py
linecache.py gh-92336: linecache.getline should not raise exceptions on decoding errors (GH-94410) 2022-06-30 02:46:27 -07:00
locale.py
lzma.py bpo-45475: Revert __iter__ optimization for GzipFile, BZ2File, and LZMAFile. (GH-29016) 2021-10-18 20:15:48 -07:00
mailbox.py
mailcap.py
mimetypes.py bpo-20392: Fix inconsistency with uppercase file extensions in mimetypes.guess_type (GH-30229) 2022-03-15 08:14:19 -07:00
modulefinder.py
netrc.py bpo-43733: netrc try to use UTF-8 before using locale encoding. (GH-25781) 2021-05-02 14:01:02 +09:00
nntplib.py
ntpath.py bpo-42658: Use LCMapStringEx in ntpath.normcase to match OS behaviour for case-folding (GH-93674) 2022-06-10 17:36:02 +01:00
nturl2path.py
numbers.py bpo-44072: fix Complex, Integral docs for ** (GH-25986) 2021-05-14 15:22:45 -07:00
opcode.py bpo-43754: Eliminate bindings for partial pattern matches (GH-25229) 2021-05-02 13:02:10 -07:00
operator.py bpo-44558: Match countOf is/== treatment to c (GH-27007) 2021-07-07 06:50:41 -07:00
optparse.py
os.py
pathlib.py gh-93156 - fix negative indexing into absolute pathlib.PurePath().parents (GH-93273) 2022-06-03 14:53:00 -07:00
pdb.py bpo-46434: Handle missing docstrings in pdb help (GH-30705) 2022-01-21 11:32:43 -08:00
pickle.py gh-90494: Reject 6th element of the __reduce__() tuple (GH-93609) (GH-93632) 2022-06-10 15:59:39 +02:00
pickletools.py
pipes.py Change type check to isinstance in pipes (GH-27291) (GH-27416) 2021-07-28 16:08:51 +02:00
pkgutil.py [3.10] [codemod] Fix non-matching bracket pairs (GH-28473) (GH-28511) 2021-09-29 12:36:59 +01:00
platform.py [3.10] Fix typos in the Lib directory (GH-28775) (GH-28804) 2021-10-07 11:49:47 -04:00
plistlib.py [3.10] bpo-44559: [Enum] revert enum module to 3.9 (GH-27010) 2021-07-03 21:08:42 -07:00
poplib.py
posixpath.py [3.10] gh-91838: Resolve more HTTP links which redirect to HTTPS (GH-95650). (GH-95786) 2022-08-08 18:09:06 +03:00
pprint.py bpo-45557: Fix underscore_numbers in pprint.pprint(). (GH-29129) 2021-10-21 14:16:59 -07:00
profile.py
pstats.py [3.10] bpo-44559: [Enum] revert enum module to 3.9 (GH-27010) 2021-07-03 21:08:42 -07:00
pty.py bpo-26228: [doc] Adapt PTY documentation updates from GH-4167 (GH-27754) 2021-08-13 04:21:06 -07:00
py_compile.py bpo-45428: Fix reading filenames from stdin in py_compile (GH-28848) 2021-10-15 05:14:35 -07:00
pyclbr.py
pydoc.py [3.10] bpo-40296: Fix supporting generic aliases in pydoc (GH-30253). (GH-31976) 2022-03-18 20:46:31 +02:00
queue.py gh-90879: Fix missing parameter for put_nowait() (GH-91514) 2022-04-14 02:18:31 -07:00
quopri.py
random.py bpo-44018: random.seed() no longer mutates its inputs (GH-25856) (GH-25872) 2021-05-03 19:45:30 -07:00
re.py [3.10] bpo-44559: [Enum] revert enum module to 3.9 (GH-27010) 2021-07-03 21:08:42 -07:00
reprlib.py
rlcompleter.py bpo-44752: refactor part of rlcompleter.Completer.attr_matches (GH-27433) (GH-27447) 2021-07-29 17:44:42 +02:00
runpy.py bpo-26792: Improve docstrings of runpy module run_functions (GH-30729) 2022-04-29 11:45:43 -07:00
sched.py
secrets.py
selectors.py
shelve.py
shlex.py
shutil.py gh-94844: Add pathlib support to shutil archive management (GH-94846) 2022-07-20 09:24:33 -07:00
signal.py [3.10] bpo-27718: Fix help for the signal module (GH-30063) (GH-30080) 2021-12-13 12:14:51 +02:00
site.py
smtpd.py [3.10] bpo-47022: Document asynchat, asyncore and smtpd removals in 3.12 (GH-31891) (#31997) 2022-03-20 22:38:01 +02:00
smtplib.py bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) 2021-08-29 07:43:39 -07:00
sndhdr.py
socket.py Remove the execution bit to some socket-related files. (GH-93368) 2022-06-01 00:31:31 -07:00
socketserver.py
sre_compile.py [3.10] gh-91575: Update case-insensitive matching in re to the latest Unicode version (GH-91580). (GH-91661) 2022-04-22 21:44:05 +03:00
sre_constants.py [3.10] gh-92049: Forbid pickling constants re._constants.SUCCESS etc (GH-92070) (GH-92073) 2022-04-30 15:33:39 +03:00
sre_parse.py [3.10] gh-91700: Validate the group number in conditional expression in RE (GH-91702) (GH-91831) 2022-04-22 21:09:30 +03:00
ssl.py bpo-46604: fix function name in ssl module docstring (GH-31064) 2022-05-03 09:24:39 -07:00
stat.py
statistics.py Fix double-space in exception message (GH-29955) 2021-12-08 03:07:27 -08:00
string.py
stringprep.py
struct.py
subprocess.py [3.10] gh-91401: Conservative backport of subprocess._USE_VFORK (#91932) 2022-05-01 16:09:50 -07:00
sunau.py
symtable.py Change list to view object (GH-93661) 2022-06-11 04:13:38 -07:00
sysconfig.py [3.10] Fix typos in the Lib directory (GH-28775) (GH-28804) 2021-10-07 11:49:47 -04:00
tabnanny.py
tarfile.py gh-91387: Strip trailing slash from tarfile longname directories (GH-32423) 2022-06-21 11:09:55 -07:00
telnetlib.py
tempfile.py gh-83499: Fix closing file descriptors in tempfile (GH-93874) 2022-06-26 01:17:19 -07:00
textwrap.py
this.py
threading.py fix threading.Event.isSet() docstring (GH-96297) 2022-08-26 22:30:41 -07:00
timeit.py
token.py
tokenize.py bpo-44667: Treat correctly lines ending with comments and no newlines in the Python tokenizer (GH-27499) (GH-27500) 2021-08-02 11:43:45 +02:00
trace.py
traceback.py bpo-45614: Fix traceback display for exceptions with invalid module name (GH-29726) (GH-29826) 2021-11-29 10:07:24 +00:00
tracemalloc.py
tty.py
turtle.py bpo-45837: Note tiltangle is not deprecated, it's really settiltangle (GH-29629) 2021-11-19 19:55:40 +01:00
types.py bpo-45664: Fix resolve_bases() and new_class() for GenericAlias instance as a base (GH-29298) 2021-12-05 13:26:37 -08:00
typing.py [3.10] gh-94245: Fix pickling and copying of typing.Tuple[()] (GH-94260) 2022-06-25 18:45:46 +03:00
uu.py
uuid.py [3.10] bpo-44559: [Enum] revert enum module to 3.9 (GH-27010) 2021-07-03 21:08:42 -07:00
warnings.py
wave.py
weakref.py bpo-44962: Fix a race in WeakKeyDict, WeakValueDict and WeakSet when two threads attempt to commit the last pending removal (GH-27921) 2021-08-28 11:09:21 -07:00
webbrowser.py bpo-44740: Lowercase "internet" and "web" where appropriate. (GH-27378) (GH-27380) 2021-07-27 00:34:32 +02:00
xdrlib.py
zipapp.py
zipfile.py [3.10] gh-83245: Raise BadZipFile instead of ValueError when reading a corrupt ZIP file (GH-32291) (GH-93140) 2022-05-25 00:57:56 -07:00
zipimport.py [3.10] bpo-45183: don't raise an exception when calling zipimport.zipimporter.find_spec() when the zip file is missing and the internal cache has been reset (GH-28435) (#28438) 2021-09-17 17:46:22 -07:00