mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-12-23 09:19:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
cpython/Python
History
Gregory P. Smith 511ca94520
gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#). Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.
2022-09-02 09:35:08 -07:00
..
clinic gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
deepfreeze
frozen_modules
_warnings.c gh-91102: Port 8-argument _warnings.warn_explicit to Argument Clinic (#92891) 2022-07-20 22:24:51 +02:00
adaptive.md
asdl.c
ast.c gh-92597: Improve error message for AST nodes with invalid ranges (GH-93398) 2022-06-01 13:51:17 +01:00
ast_opt.c
ast_unparse.c
bltinmodule.c GH-90230: Add stats to breakdown the origin of calls to PyEval_EvalFrame (GH-93284) 2022-05-27 16:31:41 +01:00
bootstrap_hash.c
ceval.c gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
ceval_gil.c GH-96177: Move GIL and eval breaker code out of ceval.c into ceval_gil.c. (GH-96204) 2022-08-24 14:21:01 +01:00
codecs.c
compile.c gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
condvar.h gh-74953: _PyThread_cond_after() uses _PyTime_t (#94056) 2022-06-21 15:45:49 +02:00
context.c Add more stats for freelist use and allocations. (GH-92211) 2022-05-03 16:40:24 -06:00
dtoa.c
dup2.c gh-95174: Handle missing dup() and constants in WASI (GH-95229) 2022-07-26 11:16:51 +02:00
dynamic_annotations.c
dynload_hpux.c
dynload_shlib.c
dynload_stub.c
dynload_win.c gh-92536: PEP 623: Remove wstr and legacy APIs from Unicode (GH-92537) 2022-05-12 14:48:38 +09:00
emscripten_signal.c
errors.c gh-94673: Add _PyStaticType_InitBuiltin() (#95152) 2022-07-25 12:47:31 -06:00
fileutils.c gh-95174: Handle missing dup() and constants in WASI (GH-95229) 2022-07-26 11:16:51 +02:00
formatter_unicode.c gh-89653: Use int type for Unicode kind (#92704) 2022-05-13 12:41:05 +02:00
frame.c GH-96237: Allow non-functions as reference-holder in frames. (GH-96238) 2022-08-25 10:16:55 +01:00
frozen.c
frozenmain.c gh-93103: Parser uses PyConfig.parser_debug instead of Py_DebugFlag (#93106) 2022-05-24 22:35:08 +02:00
future.c
getargs.c GH-95909: Make _PyArg_Parser initialization thread safe (GH-95958) 2022-08-16 11:22:14 -07:00
getcompiler.c
getcopyright.c
getopt.c gh-90300: split --help output into separate options (#30331) 2022-06-01 05:50:01 -04:00
getplatform.c
getversion.c
hamt.c GH-93207: Remove HAVE_STDARG_PROTOTYPES configure check for stdarg.h (#93215) 2022-05-27 13:30:45 +02:00
hashtable.c
import.c gh-93741: Add private C API _PyImport_GetModuleAttrString() (GH-93742) 2022-06-14 07:15:26 +03:00
importdl.c
importdl.h
initconfig.c gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
makeopcodetargets.py gh-94216: add pseudo instructions to the dis/opcodes modules (GH-94241) 2022-07-01 15:33:35 +01:00
marshal.c gh-78214: marshal: Stabilize FLAG_REF usage (GH-8226) 2022-05-04 10:01:15 +09:00
modsupport.c
mysnprintf.c
mystrtoul.c
opcode_targets.h gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
pathconfig.c gh-91985: Ensure in-tree builds override platstdlib_dir in every path calculation (GH-93641) 2022-06-16 22:41:57 +01:00
preconfig.c gh-77782: Deprecate global configuration variable (#93943) 2022-06-17 16:12:00 +02:00
pyarena.c
pyctype.c
pyfpe.c
pyhash.c
pylifecycle.c gh-96143: Allow Linux perf profiler to see Python calls (GH-96123) 2022-08-30 10:11:18 -07:00
pymath.c
pystate.c GH-96071: fix deadlock in PyGILState_Ensure (GH-96124) 2022-08-19 12:43:00 -07:00
pystrcmp.c
pystrhex.c
pystrtod.c
Python-ast.c gh-95185: Check recursion depth in the AST constructor (#95186) 2022-07-24 15:58:52 +01:00
Python-tokenize.c gh-90928: Statically Initialize the Keywords Tuple in Clinic-Generated Code (gh-95860) 2022-08-11 15:25:49 -06:00
pythonrun.c gh-92651: Remove the Include/token.h header file (#92652) 2022-05-11 23:22:50 +02:00
pytime.c gh-74953: Add _PyTime_FromMicrosecondsClamp() function (#93942) 2022-06-17 16:11:13 +02:00
README
specialize.c gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
stdlib_module_names.h gh-93243: Make smtpd private before porting its users (GH-93246) 2022-08-05 17:41:29 -07:00
structmember.c
suggestions.c gh-93937, C API: Move PyFrame_GetBack() to Python.h (#93938) 2022-06-19 12:02:33 +02:00
symtable.c
sysmodule.c gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
thread.c gh-96125: Fix sys.thread_info.name on pthread platforms (GH-96126) 2022-08-19 12:41:25 -07:00
thread_nt.h gh-88750: On Windows, PyThread_acquire_lock() no longer checks for NULL (#92586) 2022-05-10 02:00:38 +02:00
thread_pthread.h gh-95174: Add pthread stubs for WASI (GH-95234) 2022-07-27 20:28:06 +02:00
thread_pthread_stubs.h gh-95174: Add pthread stubs for WASI (GH-95234) 2022-07-27 20:28:06 +02:00
traceback.c gh-93883: elide traceback indicators when possible (#93994) 2022-07-11 07:40:53 +01:00

README 

Miscellaneous source files for the main Python shared library