mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-24 10:45:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
cpython/Python
History
Gregory P. Smith f8b71da9aa
[3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499 aka 511ca94520

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
2022-09-02 09:48:57 -07:00
..
clinic [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
deepfreeze bpo-45696: Deep-freeze selected modules (GH-29118) 2021-11-10 18:01:53 -08:00
frozen_modules bpo-45020: Drop the frozen .h files from the repo. (gh-28392) 2021-09-16 14:20:52 -06:00
_warnings.c gh-93937, C API: Move PyFrame_GetBack() to Python.h (#93938) (#94000) 2022-06-20 15:47:41 +02:00
adaptive.md Update adaptive.md for inline caching (GH-31817) 2022-03-11 14:29:10 +00:00
asdl.c
ast.c gh-92597: Improve error message for AST nodes with invalid ranges (GH-93398) (GH-93414) 2022-06-01 14:05:40 +01:00
ast_opt.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
ast_unparse.c bpo-43224: Implement PEP 646 grammar changes (GH-31018) 2022-03-26 09:55:35 -07:00
bltinmodule.c gh-92203: Add closure support to exec(). (#92204) 2022-05-06 10:09:35 -07:00
bootstrap_hash.c bpo-46303: Move fileutils.h private functions to internal C API (GH-30484) 2022-01-11 11:56:16 +01:00
ceval.c GH-90081: Run python tracers at full speed (GH-95328) (#95363) 2022-07-29 09:43:52 +01:00
ceval_gil.h [3.11] bpo-40514: Drop EXPERIMENTAL_ISOLATED_SUBINTERPRETERS (gh-93185) (GH-93306) 2022-05-27 17:56:30 -07:00
codecs.c bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
compile.c [3.11] GH-94036: Fix more attribute location quirks (GH-95028) (GH-95156) 2022-07-22 17:31:06 -07:00
condvar.h
context.c Add more stats for freelist use and allocations. (GH-92211) 2022-05-03 16:40:24 -06:00
dtoa.c bpo-45412: Add _PY_SHORT_FLOAT_REPR macro (GH-31171) 2022-02-23 18:16:23 +01:00
dup2.c [3.11] gh-95174: Handle missing dup() and constants in WASI (GH-95229) (GH-95272) 2022-07-31 16:39:41 +01:00
dynamic_annotations.c
dynload_hpux.c
dynload_shlib.c
dynload_stub.c
dynload_win.c gh-57684: Add -P cmdline option and PYTHONSAFEPATH env var (#31542) 2022-05-06 01:34:11 +02:00
emscripten_signal.c bpo-47176: Interrupt handling for wasm32-emscripten builds without pthreads (GH-32209) 2022-04-03 22:58:52 +02:00
errors.c Fix refleaks in PyErr_SetHandledException (GH-91627) 2022-04-17 02:52:53 -04:00
fileutils.c [3.11] gh-95174: Handle missing dup() and constants in WASI (GH-95229) (GH-95272) 2022-07-31 16:39:41 +01:00
formatter_unicode.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
frame.c [3.11] GH-94262: Don't create frame objects for frames that aren't yet complete. (GH-94371) (#94482) 2022-07-04 19:43:12 +01:00
frozen.c bpo-46748: Don't import <stdbool.h> in public headers (GH-31553) 2022-02-25 09:25:54 +01:00
frozenmain.c
future.c
getargs.c [3.11] gh-94938: Fix errror detection of unexpected keyword arguments (GH-94999) (GH-95353) 2022-07-28 09:51:45 +03:00
getcompiler.c
getcopyright.c Update copyright year to 2022. (GH-30335) 2022-01-02 12:08:48 -08:00
getopt.c gh-90300: split --help output into separate options (GH-30331) 2022-06-14 12:15:42 -07:00
getplatform.c
getversion.c bpo-43931: Export Python version as API data (GH-25577) 2021-12-09 17:52:05 -08:00
hamt.c gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (GH-93066) (GH-93145) 2022-05-24 10:52:06 +02:00
hashtable.c
import.c [3.11] gh-93741: Add private C API _PyImport_GetModuleAttrString() (GH-93742) (GH-93792) 2022-06-14 08:51:39 +03:00
importdl.c bpo-47162: Add call trampoline to mitigate bad fpcasts on Emscripten (GH-32189) 2022-03-30 12:28:33 -07:00
importdl.h bpo-47162: Add call trampoline to mitigate bad fpcasts on Emscripten (GH-32189) 2022-03-30 12:28:33 -07:00
initconfig.c [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
makeopcodetargets.py bpo-43760: Check for tracing using 'bitwise or' instead of branch in dispatch. (GH-28723) 2021-10-05 11:01:11 +01:00
marshal.c gh-78214: marshal: Stabilize FLAG_REF usage (GH-8226) 2022-05-04 10:01:15 +09:00
modsupport.c
mysnprintf.c
mystrtoul.c bpo-35134: Add Include/cpython/longobject.h (GH-29044) 2021-10-19 02:04:52 +02:00
opcode_targets.h gh-91869: Fix tracing of specialized instructions with extended args (GH-91945) 2022-04-27 22:36:34 -06:00
pathconfig.c gh-91985: Ensure in-tree builds override platstdlib_dir in every path calculation (GH-93641) 2022-06-20 11:37:27 -07:00
preconfig.c [3.11] bpo-40514: Drop EXPERIMENTAL_ISOLATED_SUBINTERPRETERS (gh-93185) (GH-93306) 2022-05-27 17:56:30 -07:00
pyarena.c
pyctype.c
pyfpe.c bpo-46315: Add ifdef HAVE_ feature checks for WASI compatibility (GH-30507) 2022-01-13 09:46:04 +01:00
pyhash.c bpo-29410: Change the default hash algorithm to SipHash13. (GH-28752) 2021-10-10 17:29:46 +09:00
pylifecycle.c [3.11] bpo-40514: Drop EXPERIMENTAL_ISOLATED_SUBINTERPRETERS (gh-93185) (GH-93306) 2022-05-27 17:56:30 -07:00
pymath.c bpo-45440: Remove pymath.c fallbacks (GH-28977) 2021-10-15 19:45:34 +02:00
pystate.c GH-96071: fix deadlock in PyGILState_Ensure (GH-96124) (#96129) 2022-08-19 22:11:31 +01:00
pystrcmp.c
pystrhex.c gh-91768: C API no longer use "const PyObject*" type (#91769) 2022-04-21 22:07:19 +02:00
pystrtod.c bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
Python-ast.c [3.11] gh-95185: Check recursion depth in the AST constructor (GH-95186) (GH-95208) 2022-07-26 12:19:22 +02:00
Python-tokenize.c bpo-46613: Add PyType_GetModuleByDef to the public API (GH-31081) 2022-02-11 17:22:11 +01:00
pythonrun.c Use static inline function Py_EnterRecursiveCall() (#91988) 2022-05-04 13:30:23 +02:00
pytime.c gh-91731: Replace Py_BUILD_ASSERT() with static_assert() (#91730) 2022-04-20 19:26:40 +02:00
README
specialize.c [3.11] GH-95113: Don't use EXTENDED_ARG_QUICK in unquickened code (GH-95121) (GH-95143) 2022-07-22 11:56:10 -07:00
stdlib_module_names.h bpo-40059: Add tomllib (PEP-680) (GH-31498) 2022-03-08 09:26:13 +01:00
structmember.c
suggestions.c gh-93937, C API: Move PyFrame_GetBack() to Python.h (#93938) (#94000) 2022-06-20 15:47:41 +02:00
symtable.c bpo-46765: Replace Locally Cached Strings with Statically Initialized Objects (gh-31366) 2022-02-22 17:23:51 -07:00
sysmodule.c [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
thread.c gh-96125: Fix sys.thread_info.name on pthread platforms (GH-96126) (#96128) 2022-08-21 17:37:15 +01:00
thread_nt.h bpo-46008: Move thread-related interpreter state into a sub-struct. (gh-29971) 2021-12-07 14:03:47 -07:00
thread_pthread.h [3.11] gh-95174: Add pthread stubs for WASI (GH-95234) (#95503) 2022-08-01 15:37:45 +01:00
thread_pthread_stubs.h [3.11] gh-95174: Add pthread stubs for WASI (GH-95234) (#95503) 2022-08-01 15:37:45 +01:00
traceback.c [3.11] gh-93883: elide traceback indicators when possible (GH-93994) (GH-94740) 2022-07-11 04:27:29 -07:00

README 

Miscellaneous source files for the main Python shared library