Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-01-07 07:52:29 +00:00
Code Issues Projects Releases Packages Wiki Activity
cpython/Include/internal
History
Gregory P. Smith f8b71da9aa
[3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499 aka 511ca94520

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
2022-09-02 09:48:57 -07:00
..
pycore_abstract.h bpo-45636: Simplify BINARY_OP (GH-29565) 2021-11-16 05:53:57 -08:00
pycore_accu.h bpo-36635: Change pyport.h for Py_BUILD_CORE_MODULE define (GH-12853) 2019-04-17 23:02:26 +02:00
pycore_asdl.h bpo-45476: Disallow using asdl_seq_GET() as l-value (GH-29866) 2021-11-30 15:13:55 +01:00
pycore_ast.h bpo-45292: [PEP-654] add except* (GH-29581) 2021-12-14 16:48:15 +00:00
pycore_ast_state.h [3.11] gh-95185: Check recursion depth in the AST constructor (GH-95186) (GH-95208) 2022-07-26 12:19:22 +02:00
pycore_atomic.h Fix typo in internal/pycore_atomic.h (GH-95939) 2022-08-12 21:04:06 -07:00
pycore_atomic_funcs.h bpo-39465: Add pycore_atomic_funcs.h header (GH-20766) 2020-12-23 03:41:08 +01:00
pycore_bitutils.h bpo-29882: Fix portability bug introduced in GH-30774 (#30794) 2022-01-23 09:59:34 +00:00
pycore_blocks_output_buffer.h bpo-44458: Ensure BUFFER_BLOCK_SIZE symbol is statically allocated. (GH-26808) 2021-06-21 23:36:36 -07:00
pycore_bytes_methods.h bpo-35081: Move bytes_methods.h to the internal C API (GH-18492) 2020-02-12 22:32:34 +01:00
pycore_bytesobject.h bpo-47070: Add _PyBytes_Repeat() (GH-31999) 2022-03-28 04:43:45 -04:00
pycore_call.h bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
pycore_ceval.h [3.11] gh-90473: Reduce recursion limit on WASI even further (GH-94333) (GH-94334) 2022-06-27 18:33:01 +02:00
pycore_code.h [3.11] GH-94739: Backport GH-94958 to 3.11 (#94965) 2022-07-25 12:11:06 +01:00
pycore_compile.h bpo-42609: Check recursion depth in the AST validator and optimizer (GH-23744) 2021-04-25 13:38:00 +03:00
pycore_condvar.h bpo-46315: Add ifdef HAVE_ feature checks for WASI compatibility (GH-30507) 2022-01-13 09:46:04 +01:00
pycore_context.h bpo-46417: Clear more static types (GH-30796) 2022-01-22 18:55:48 +01:00
pycore_dict.h gh-46845: clean up unused DK_IXSIZE (GH-96405) 2022-08-30 00:28:51 -07:00
pycore_dtoa.h bpo-45412: Add _PY_SHORT_FLOAT_REPR macro (GH-31171) 2022-02-23 18:16:23 +01:00
pycore_emscripten_signal.h bpo-47176: Interrupt handling for wasm32-emscripten builds without pthreads (GH-32209) 2022-04-03 22:58:52 +02:00
pycore_exceptions.h bpo-46417: Factorize _PyExc_InitTypes() code (GH-30804) 2022-01-22 21:48:56 +01:00
pycore_fileutils.h bpo-46362: Ensure ntpath.abspath() uses the Windows API correctly (GH-30571) 2022-01-13 23:35:42 +00:00
pycore_floatobject.h gh-90667: Add specializations of Py_DECREF when types are known (GH-30872) 2022-04-19 19:02:19 +01:00
pycore_format.h bpo-45995: add "z" format specifer to coerce negative 0 to zero (GH-30049) 2022-04-11 15:34:18 +01:00
pycore_frame.h [3.11] GH-94262: Don't create frame objects for frames that aren't yet complete. (GH-94371) (#94482) 2022-07-04 19:43:12 +01:00
pycore_function.h bpo-45316: Move private functions to internal C API (GH-31579) 2022-02-25 16:07:14 +01:00
pycore_gc.h bpo-46753: Add the empty tuple to the _PyRuntimeState.global_objects. (gh-31345) 2022-02-28 15:15:48 -07:00
pycore_genobject.h bpo-45316: Move private functions to internal C API (GH-31579) 2022-02-25 16:07:14 +01:00
pycore_getopt.h bpo-36763: Cleanup precmdline in _PyCoreConfig_Read() (GH-13371) 2019-05-17 03:15:12 +02:00
pycore_gil.h bpo-38353: Cleanup includes in the internal C API (GH-16548) 2019-10-02 23:51:20 +02:00
pycore_global_objects.h bpo-46753: Add the empty tuple to the _PyRuntimeState.global_objects. (gh-31345) 2022-02-28 15:15:48 -07:00
pycore_global_strings.h [3.11] gh-91162: Support splitting of unpacked arbitrary-length tuple over TypeVar and TypeVarTuple parameters (alt) (GH-93412) (GH-93746) 2022-06-14 21:15:56 +03:00
pycore_hamt.h gh-93065: Fix HAMT to iterate correctly over 7-level deep trees (GH-93066) (GH-93145) 2022-05-24 10:52:06 +02:00
pycore_hashtable.h bpo-40602: Write unit tests for _Py_hashtable_t (GH-20091) 2020-05-14 21:55:47 +02:00
pycore_import.h bpo-45395: Make custom frozen modules additions instead of replacements. (gh-28778) 2021-10-28 15:04:33 -06:00
pycore_initconfig.h [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
pycore_interp.h [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
pycore_interpreteridobject.h bpo-35081: Move interpreteridobject.h to Include/internal/ (GH-28969) 2021-10-15 11:56:34 +02:00
pycore_list.h bpo-47009: Streamline list.append for the common case (GH-31864) 2022-04-01 11:23:42 +01:00
pycore_long.h [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
pycore_moduleobject.h bpo-45459: Use type names in the internal C API (GH-31669) 2022-03-03 23:08:07 +01:00
pycore_namespace.h bpo-45482: Rename namespaceobject.h to pycore_namespace.h (GH-28975) 2021-10-15 15:21:21 +02:00
pycore_object.h gh-90667: Add specializations of Py_DECREF when types are known (GH-30872) 2022-04-19 19:02:19 +01:00
pycore_opcode.h [3.11] GH-95113: Don't use EXTENDED_ARG_QUICK in unquickened code (GH-95121) (GH-95143) 2022-07-22 11:56:10 -07:00
pycore_parser.h bpo-43244: Remove parser_interface.h header file (GH-25001) 2021-03-24 01:29:09 +01:00
pycore_pathconfig.h bpo-45582: Port getpath[p].c to Python (GH-29041) 2021-12-03 00:08:42 +00:00
pycore_pyarena.h bpo-43244: Remove the pyarena.h header (GH-25007) 2021-03-24 02:23:01 +01:00
pycore_pyerrors.h gh-90667: Add specializations of Py_DECREF when types are known (GH-30872) 2022-04-19 19:02:19 +01:00
pycore_pyhash.h bpo-36635: Change pyport.h for Py_BUILD_CORE_MODULE define (GH-12853) 2019-04-17 23:02:26 +02:00
pycore_pylifecycle.h gh-64783: Fix signal.NSIG value on FreeBSD (#91929) 2022-04-26 00:13:31 +02:00
pycore_pymath.h bpo-46816: Remove declarations for non-__STDC__ compilers (GH-31466) 2022-02-26 00:16:59 +01:00
pycore_pymem.h bpo-40170: Move _Py_GetAllocatedBlocks() to pycore_pymem.h (GH-30943) 2022-01-27 21:23:22 +01:00
pycore_pystate.h GH-90081: Run python tracers at full speed (GH-95328) (#95363) 2022-07-29 09:43:52 +01:00
pycore_runtime.h [3.11] bpo-40514: Drop EXPERIMENTAL_ISOLATED_SUBINTERPRETERS (gh-93185) (GH-93306) 2022-05-27 17:56:30 -07:00
pycore_runtime_init.h [3.11] gh-91162: Support splitting of unpacked arbitrary-length tuple over TypeVar and TypeVarTuple parameters (alt) (GH-93412) (GH-93746) 2022-06-14 21:15:56 +03:00
pycore_signal.h gh-64783: Fix signal.NSIG value on FreeBSD (#91929) 2022-04-26 00:13:31 +02:00
pycore_sliceobject.h bpo-46008: Make runtime-global object/type lifecycle functions and state consistent. (gh-29998) 2021-12-09 12:59:26 -07:00
pycore_strhex.h gh-91768: C API no longer use "const PyObject*" type (#91769) 2022-04-21 22:07:19 +02:00
pycore_structseq.h bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
pycore_symtable.h bpo-46765: Replace Locally Cached Strings with Statically Initialized Objects (gh-31366) 2022-02-22 17:23:51 -07:00
pycore_sysmodule.h bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
pycore_traceback.h bpo-45459: Use type names in the internal C API (GH-31669) 2022-03-03 23:08:07 +01:00
pycore_tuple.h bpo-46753: Add the empty tuple to the _PyRuntimeState.global_objects. (gh-31345) 2022-02-28 15:15:48 -07:00
pycore_typeobject.h bpo-46417: Py_Finalize() clears static types (GH-30743) 2022-01-21 13:06:34 +01:00
pycore_ucnhash.h bpo-42157: Rename unicodedata.ucnhash_CAPI (GH-22994) 2020-10-27 04:36:22 +01:00
pycore_unicodeobject.h gh-90667: Add specializations of Py_DECREF when types are known (GH-30872) 2022-04-19 19:02:19 +01:00
pycore_unionobject.h gh-91603: Speed up isinstance/issubclass on union types (GH-91631) 2022-04-28 23:24:19 +08:00
pycore_warnings.h bpo-35134: Split warnings.h and weakrefobject.h (GH-29042) 2021-10-19 01:31:57 +02:00