mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-04 00:48:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
cpython/Python
History
Gregory P. Smith f8b71da9aa
[3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499 aka 511ca94520

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
2022-09-02 09:48:57 -07:00
..
clinic [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
deepfreeze bpo-45696: Deep-freeze selected modules (GH-29118) 2021-11-10 18:01:53 -08:00
frozen_modules bpo-45020: Drop the frozen .h files from the repo. (gh-28392) 2021-09-16 14:20:52 -06:00
_warnings.c gh-93937, C API: Move PyFrame_GetBack() to Python.h (#93938) (#94000) 2022-06-20 15:47:41 +02:00
adaptive.md Update adaptive.md for inline caching (GH-31817) 2022-03-11 14:29:10 +00:00
asdl.c bpo-43244: Remove ast.h, asdl.h, Python-ast.h headers (GH-24933) 2021-03-23 20:47:40 +01:00
ast.c gh-92597: Improve error message for AST nodes with invalid ranges (GH-93398) (GH-93414) 2022-06-01 14:05:40 +01:00
ast_opt.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
ast_unparse.c bpo-43224: Implement PEP 646 grammar changes (GH-31018) 2022-03-26 09:55:35 -07:00
bltinmodule.c gh-92203: Add closure support to exec(). (#92204) 2022-05-06 10:09:35 -07:00
bootstrap_hash.c bpo-46303: Move fileutils.h private functions to internal C API (GH-30484) 2022-01-11 11:56:16 +01:00
ceval.c GH-90081: Run python tracers at full speed (GH-95328) (#95363) 2022-07-29 09:43:52 +01:00
ceval_gil.h [3.11] bpo-40514: Drop EXPERIMENTAL_ISOLATED_SUBINTERPRETERS (gh-93185) (GH-93306) 2022-05-27 17:56:30 -07:00
codecs.c bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
compile.c [3.11] GH-94036: Fix more attribute location quirks (GH-95028) (GH-95156) 2022-07-22 17:31:06 -07:00
condvar.h bpo-44740: Lowercase "internet" and "web" where appropriate. (#27378) 2021-07-27 00:11:55 +02:00
context.c Add more stats for freelist use and allocations. (GH-92211) 2022-05-03 16:40:24 -06:00
dtoa.c bpo-45412: Add _PY_SHORT_FLOAT_REPR macro (GH-31171) 2022-02-23 18:16:23 +01:00
dup2.c [3.11] gh-95174: Handle missing dup() and constants in WASI (GH-95229) (GH-95272) 2022-07-31 16:39:41 +01:00
dynamic_annotations.c bpo-32241: Add the const qualifire to declarations of umodifiable strings. (#4748) 2017-12-12 13:55:04 +02:00
dynload_hpux.c bpo-44959: Add fallback to extension modules with '.sl' suffix on HP-UX (GH-27857) 2021-09-08 14:43:00 +02:00
dynload_shlib.c bpo-43895: Remove an unnecessary cache of shared object handles (GH-25487) 2021-07-07 16:26:06 -07:00
dynload_stub.c
dynload_win.c gh-57684: Add -P cmdline option and PYTHONSAFEPATH env var (#31542) 2022-05-06 01:34:11 +02:00
emscripten_signal.c bpo-47176: Interrupt handling for wasm32-emscripten builds without pthreads (GH-32209) 2022-04-03 22:58:52 +02:00
errors.c Fix refleaks in PyErr_SetHandledException (GH-91627) 2022-04-17 02:52:53 -04:00
fileutils.c [3.11] gh-95174: Handle missing dup() and constants in WASI (GH-95229) (GH-95272) 2022-07-31 16:39:41 +01:00
formatter_unicode.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
frame.c [3.11] GH-94262: Don't create frame objects for frames that aren't yet complete. (GH-94371) (#94482) 2022-07-04 19:43:12 +01:00
frozen.c bpo-46748: Don't import <stdbool.h> in public headers (GH-31553) 2022-02-25 09:25:54 +01:00
frozenmain.c bpo-44131: Py_FrozenMain() uses PyConfig_SetBytesArgv() (GH-26201) 2021-05-20 12:08:05 +02:00
future.c bpo-38605: Revert making 'from __future__ import annotations' the default (GH-25490) 2021-04-21 12:41:19 +01:00
getargs.c [3.11] gh-94938: Fix errror detection of unexpected keyword arguments (GH-94999) (GH-95353) 2022-07-28 09:51:45 +03:00
getcompiler.c closes bpo-43278: remove unnecessary leading '\n' from COMPILER when build with GCC/Clang (GH-24606) 2021-02-25 20:24:21 -08:00
getcopyright.c Update copyright year to 2022. (GH-30335) 2022-01-02 12:08:48 -08:00
getopt.c gh-90300: split --help output into separate options (GH-30331) 2022-06-14 12:15:42 -07:00
getplatform.c bpo-32150: Expand tabs to spaces in C files. (#4583) 2017-11-28 17:56:10 +02:00
getversion.c bpo-43931: Export Python version as API data (GH-25577) 2021-12-09 17:52:05 -08:00
hamt.c gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (GH-93066) (GH-93145) 2022-05-24 10:52:06 +02:00
hashtable.c bpo-41061: Fix incorrect expressions in hashtable (GH-21028) 2020-06-22 00:41:48 -07:00
import.c [3.11] gh-93741: Add private C API _PyImport_GetModuleAttrString() (GH-93742) (GH-93792) 2022-06-14 08:51:39 +03:00
importdl.c bpo-47162: Add call trampoline to mitigate bad fpcasts on Emscripten (GH-32189) 2022-03-30 12:28:33 -07:00
importdl.h bpo-47162: Add call trampoline to mitigate bad fpcasts on Emscripten (GH-32189) 2022-03-30 12:28:33 -07:00
initconfig.c [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
makeopcodetargets.py bpo-43760: Check for tracing using 'bitwise or' instead of branch in dispatch. (GH-28723) 2021-10-05 11:01:11 +01:00
marshal.c gh-78214: marshal: Stabilize FLAG_REF usage (GH-8226) 2022-05-04 10:01:15 +09:00
modsupport.c bpo-1635741: Add PyModule_AddObjectRef() function (GH-23122) 2020-11-04 13:59:15 +01:00
mysnprintf.c bpo-36020: Require vsnprintf() to build Python (GH-20899) 2020-06-16 00:54:44 +02:00
mystrtoul.c bpo-35134: Add Include/cpython/longobject.h (GH-29044) 2021-10-19 02:04:52 +02:00
opcode_targets.h gh-91869: Fix tracing of specialized instructions with extended args (GH-91945) 2022-04-27 22:36:34 -06:00
pathconfig.c gh-91985: Ensure in-tree builds override platstdlib_dir in every path calculation (GH-93641) 2022-06-20 11:37:27 -07:00
preconfig.c [3.11] bpo-40514: Drop EXPERIMENTAL_ISOLATED_SUBINTERPRETERS (gh-93185) (GH-93306) 2022-05-27 17:56:30 -07:00
pyarena.c bpo-43244: Remove the pyarena.h header (GH-25007) 2021-03-24 02:23:01 +01:00
pyctype.c
pyfpe.c bpo-46315: Add ifdef HAVE_ feature checks for WASI compatibility (GH-30507) 2022-01-13 09:46:04 +01:00
pyhash.c bpo-29410: Change the default hash algorithm to SipHash13. (GH-28752) 2021-10-10 17:29:46 +09:00
pylifecycle.c [3.11] bpo-40514: Drop EXPERIMENTAL_ISOLATED_SUBINTERPRETERS (gh-93185) (GH-93306) 2022-05-27 17:56:30 -07:00
pymath.c bpo-45440: Remove pymath.c fallbacks (GH-28977) 2021-10-15 19:45:34 +02:00
pystate.c GH-96071: fix deadlock in PyGILState_Ensure (GH-96124) (#96129) 2022-08-19 22:11:31 +01:00
pystrcmp.c bpo-41524: fix pointer bug in PyOS_mystr{n}icmp (GH-21845) 2020-08-27 14:45:25 +09:00
pystrhex.c gh-91768: C API no longer use "const PyObject*" type (#91769) 2022-04-21 22:07:19 +02:00
pystrtod.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
Python-ast.c [3.11] gh-95185: Check recursion depth in the AST constructor (GH-95186) (GH-95208) 2022-07-26 12:19:22 +02:00
Python-tokenize.c bpo-46613: Add PyType_GetModuleByDef to the public API (GH-31081) 2022-02-11 17:22:11 +01:00
pythonrun.c Use static inline function Py_EnterRecursiveCall() (#91988) 2022-05-04 13:30:23 +02:00
pytime.c gh-91731: Replace Py_BUILD_ASSERT() with static_assert() (#91730) 2022-04-20 19:26:40 +02:00
README
specialize.c [3.11] GH-95113: Don't use EXTENDED_ARG_QUICK in unquickened code (GH-95121) (GH-95143) 2022-07-22 11:56:10 -07:00
stdlib_module_names.h bpo-40059: Add tomllib (PEP-680) (GH-31498) 2022-03-08 09:26:13 +01:00
structmember.c bpo-44655: Include the name of the type in unset __slots__ attribute errors (GH-27199) 2021-07-17 00:34:46 +01:00
suggestions.c gh-93937, C API: Move PyFrame_GetBack() to Python.h (#93938) (#94000) 2022-06-20 15:47:41 +02:00
symtable.c bpo-46765: Replace Locally Cached Strings with Statically Initialized Objects (gh-31366) 2022-02-22 17:23:51 -07:00
sysmodule.c [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
thread.c gh-96125: Fix sys.thread_info.name on pthread platforms (GH-96126) (#96128) 2022-08-21 17:37:15 +01:00
thread_nt.h bpo-46008: Move thread-related interpreter state into a sub-struct. (gh-29971) 2021-12-07 14:03:47 -07:00
thread_pthread.h [3.11] gh-95174: Add pthread stubs for WASI (GH-95234) (#95503) 2022-08-01 15:37:45 +01:00
thread_pthread_stubs.h [3.11] gh-95174: Add pthread stubs for WASI (GH-95234) (#95503) 2022-08-01 15:37:45 +01:00
traceback.c [3.11] gh-93883: elide traceback indicators when possible (GH-93994) (GH-94740) 2022-07-11 04:27:29 -07:00

README 

Miscellaneous source files for the main Python shared library