Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-05-23 10:52:18 +00:00
Code Issues Projects Releases Packages Wiki Activity
cpython/Lib
History
Gregory P. Smith f8b71da9aa
[3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

This backports https://github.com/python/cpython/pull/96499 aka 511ca94520

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
2022-09-02 09:48:57 -07:00
..
__phello__ bpo-45020: Add more test cases for frozen modules. (gh-28664) 2021-09-30 18:38:52 -06:00
asyncio GH-74116: Allow multiple drain waiters for asyncio.StreamWriter (GH-94705) (#96395) 2022-08-30 12:00:21 +01:00
collections bpo-26579: Add object.__getstate__(). (GH-2821) 2022-04-06 20:00:14 +03:00
concurrent gh-95166: cancel map waited on future on timeout (GH-95169) (GH-95364) 2022-07-28 12:56:21 +02:00
ctypes gh-84461: Fix ctypes and test_ctypes on Emscripten (GH-94142) 2022-06-24 04:17:21 -07:00
curses
dbm bpo-40563: Support pathlike objects on dbm/shelve (GH-21849) 2021-09-10 15:26:16 +03:00
distutils gh-90473: Fix more tests on platforms without umask (GH-95164) 2022-07-23 03:51:29 -07:00
email gh-95087: Fix IndexError in parsing invalid date in the email module (GH-95201) 2022-07-24 23:40:17 -07:00
encodings bpo-46659: Fix the MBCS codec alias on Windows (GH-31218) 2022-02-22 22:04:07 +01:00
ensurepip gh-95609: update bundled pip to 22.2.2 (gh-95610) 2022-08-03 12:52:38 -07:00
html Add source for character mappings (#92014) 2022-05-06 12:28:09 +02:00
http Run Tools/scripts/reindent.py (GH-94225) 2022-06-26 01:56:55 -07:00
idlelib [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
importlib gh-91181: drop support for bytes on sys.path (GH-31934) 2022-07-16 18:31:25 -07:00
json bpo-46565: del loop vars that are leaking into module namespaces (GH-30993) 2022-02-03 11:20:08 +02:00
lib2to3 gh-90473: Misc test fixes for WASI (GH-93218) 2022-05-25 07:24:32 -07:00
logging [3.11] gh-89047: Fix msecs computation so you never end up with 1000 msecs. (GH-96340) (GH-96341) 2022-08-27 15:09:54 +01:00
msilib gh-91217: deprecate msilib (GH-91515) 2022-04-14 12:50:11 -07:00
multiprocessing GH-83658: make multiprocessing.Pool raise an exception if maxtasksperchild is not None or a positive int (GH-93364) (GH-93923) 2022-06-17 23:31:42 +01:00
pydoc_data Python 3.11.0rc1 2022-08-05 15:45:18 +01:00
re gh-91404: Revert "bpo-23689: re module, fix memory leak when a match is terminated by a signal or allocation failure (GH-32283) (GH-93882) 2022-06-17 01:43:56 -07:00
site-packages
sqlite3 gh-79009: sqlite3.iterdump now correctly handles tables with autoincrement (GH-9621) 2022-06-19 16:25:13 -07:00
test [3.11] gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96500) 2022-09-02 09:48:57 -07:00
tkinter bpo-13553: Document tkinter.Tk args (GH-4786) 2022-05-09 21:17:57 -07:00
tomllib bpo-40059: Add tomllib (PEP-680) (GH-31498) 2022-03-08 09:26:13 +01:00
turtledemo
unittest gh-96021: Explicitly close the IsolatedAsyncioTestCase runner in tests (GH-96135) 2022-08-24 21:53:39 -07:00
urllib bpo-42627: Fix incorrect parsing of Windows registry proxy settings (GH-26307) 2022-05-11 11:41:53 -07:00
venv gh-92675: venv: Fix ensure_directories() to again accept a Path for env_dir (GH-92676) 2022-05-19 08:17:28 -07:00
wsgiref gh-95105: Return Iterator from wsgiref.types.InputStream.__iter__ (GH-95106) 2022-07-21 13:52:11 -07:00
xml gh-96175: add missing self._localName assignment in xml.dom.minidom.Attr (GH-96176) 2022-08-23 10:18:19 -07:00
xmlrpc bpo-47126: Update to canonical PEP URLs specified by PEP 676 (GH-32124) 2022-03-30 12:00:27 +01:00
zoneinfo bpo-46124: Update zoneinfo to rely on importlib.resources traversable API. (GH-30190) 2022-01-21 13:18:31 -08:00
__future__.py gh-93626: Set the release for __future__.annotations to None (GH-93628) (GH-94553) 2022-07-05 11:16:32 +02:00
__hello__.py bpo-47084: Clear Unicode cached representations on finalization (GH-32032) 2022-03-22 13:53:51 +01:00
_aix_support.py
_bootsubprocess.py
_collections_abc.py Minor code nit: Move an unrelated statement out of a try clause in Sequence.index (GH-32330) 2022-04-06 13:03:36 -05:00
_compat_pickle.py bpo-46565: del loop vars that are leaking into module namespaces (GH-30993) 2022-02-03 11:20:08 +02:00
_compression.py
_markupbase.py
_osx_support.py [codemod] Fix non-matching bracket pairs (GH-28473) 2021-09-22 01:09:00 +02:00
_py_abc.py
_pydecimal.py gh-91291: Accept attributes as keyword arguments in decimal.localcontext (#32242) 2022-04-21 21:27:15 -07:00
_pyio.py gh-93099: Fix _pyio to use locale module properly (gh-93136) 2022-05-23 18:03:37 -07:00
_sitebuiltins.py
_strptime.py
_threading_local.py
_weakrefset.py bpo-26579: Add object.__getstate__(). (GH-2821) 2022-04-06 20:00:14 +03:00
abc.py bpo-43827: Make arguments to abc.ABCMeta.__new__ pos-only (#25385) 2022-05-05 06:40:01 -07:00
aifc.py gh-47061: Deprecate chunk (GH-91419) 2022-04-11 15:02:41 -07:00
antigravity.py
argparse.py Allow translating argument error messages (#17169) 2022-05-05 00:32:49 -05:00
ast.py gh-92671: Don't omit parentheses when unparsing empty tuples (GH-92673) 2022-05-16 06:01:34 -07:00
asynchat.py bpo-47061: use warnings._deprecated() with asynchat, asyncore, and smtpd (GH-32350) 2022-04-06 11:22:39 -07:00
asyncore.py bpo-47061: use warnings._deprecated() with asynchat, asyncore, and smtpd (GH-32350) 2022-04-06 11:22:39 -07:00
base64.py bpo-35970: Add help flag to base64 module (GH-28774) 2021-10-06 18:38:43 -07:00
bdb.py
bisect.py
bz2.py bpo-45475: Revert __iter__ optimization for GzipFile, BZ2File, and LZMAFile. (GH-29016) 2021-10-19 11:51:48 +09:00
calendar.py bpo-46659: Enhance LocaleTextCalendar for C locale (GH-31214) 2022-02-24 14:29:08 +01:00
cgi.py bpo-47061: deprecate cgi and cgitb (GH-32410) 2022-04-08 17:15:35 -07:00
cgitb.py bpo-47061: deprecate cgi and cgitb (GH-32410) 2022-04-08 17:15:35 -07:00
chunk.py gh-47061: Deprecate chunk (GH-91419) 2022-04-11 15:02:41 -07:00
cmd.py gh-67248: cmd: Sort miscellaneous help topics (#92254) 2022-05-03 21:36:52 -06:00
code.py
codecs.py
codeop.py Remove trailing spaces (GH-31695) 2022-03-05 17:47:00 +02:00
colorsys.py
compileall.py Fixed documentation typo in compileall.py (GH-29912) 2021-12-05 00:38:17 +09:00
configparser.py bpo-46607: Add DeprecationWarning for LegacyInterpolation, deprecated in docs since 3.2 (GH-30927) 2022-04-05 08:15:11 -07:00
contextlib.py gh-92118: fix traceback of exceptions propagated from inside a contextlib.contextmanager (GH-92202) 2022-05-04 19:40:47 +01:00
contextvars.py
copy.py gh-90494: Reject 6th element of the __reduce__() tuple (GH-93609) (GH-93631) 2022-06-10 16:00:19 +02:00
copyreg.py bpo-26579: Add object.__getstate__(). (GH-2821) 2022-04-06 20:00:14 +03:00
cProfile.py bpo-34861: Make cumtime the default sorting key for cProfile (GH-31929) 2022-03-30 12:10:10 +01:00
crypt.py gh-95231: Disable md5 & crypt modules if FIPS is enabled (GH-94742) 2022-08-15 08:37:51 -07:00
csv.py bpo-43625: Enhance csv sniffer has_headers() to be more accurate (GH-26939) 2021-07-30 19:10:37 +02:00
dataclasses.py Fix minor docstring issues in dataclasses.py. (gh-93024) (GH-95286) 2022-07-27 10:08:21 +02:00
datetime.py Check result of utc_to_seconds and skip fold probe in pure Python (GH-91582) 2022-05-14 07:59:52 -07:00
decimal.py
difflib.py Correct method name typo (#91970) 2022-04-27 15:28:56 -06:00
dis.py bpo-40222: Mark exception table function in the dis module as private (GH-95961) 2022-08-14 08:08:04 -07:00
doctest.py bpo-28249: fix lineno location for empty DocTest instances (GH-30498) (GH-92978) 2022-05-19 20:03:06 +02:00
enum.py [3.11] [Enum] fix check in _test_simple_enum (GH-96435) 2022-08-30 12:39:03 -07:00
filecmp.py bpo-42958: Improve description of shallow= in filecmp.cmp docs (GH-27166) 2021-08-04 21:39:45 +02:00
fileinput.py gh-93157: Fix fileinput didn't support errors in inplace mode (GH-95128) 2022-07-23 20:05:10 -07:00
fnmatch.py gh-89973: Fix re.error in the fnmatch module. (GH-93072) 2022-06-05 02:39:11 -07:00
fractions.py bpo-44547: Make Fractions objects instances of typing.SupportsInt (GH-27851) 2021-10-22 00:09:47 +02:00
ftplib.py
functools.py gh-89828: Do not relay the __class__ attribute in GenericAlias (GH-93754) 2022-06-18 07:41:25 -07:00
genericpath.py
getopt.py
getpass.py
gettext.py
glob.py bpo-37578: glob.glob -- added include_hidden parameter (GH-30153) 2021-12-18 06:23:34 -08:00
graphlib.py bpo-45359: Support TopologicalSorter type subscript (GH-28714) 2021-12-08 20:52:57 +02:00
gzip.py gh-90839: Forward gzip.compress() compresslevel to zlib (gh-31215) 2022-04-12 22:46:40 +09:00
hashlib.py bpo-45150: Add hashlib.file_digest() for efficient file hashing (GH-31930) 2022-03-22 02:37:00 -07:00
heapq.py Update: usage doc for heappushpop (GH-91451) 2022-04-17 23:12:33 -05:00
hmac.py
imaplib.py
imghdr.py gh-91217: deprecate imghdr (#91461) 2022-04-13 10:47:41 -07:00
imp.py bpo-45019: Do some cleanup related to frozen modules. (gh-28319) 2021-09-13 16:18:37 -06:00
inspect.py gh-84753: Make inspect.iscoroutinefunction() work with AsyncMock (GH-94050) (GH-94460) 2022-06-30 20:04:42 +02:00
io.py bpo-46522: fix concurrent.futures and io AttributeError messages (GH-30887) 2022-02-23 02:25:00 +02:00
ipaddress.py bpo-46415: Use f-string for ValueError in ipaddress.ip_{address,network,interface} helper functions (#30642) 2022-05-03 06:12:58 -06:00
keyword.py
linecache.py gh-92336: linecache.getline should not raise exceptions on decoding errors (GH-94410) 2022-06-30 02:59:33 -07:00
locale.py gh-90817: Deprecate explicitly locale.resetlocale() (GH-93196) 2022-05-25 13:29:58 -07:00
lzma.py bpo-45475: Revert __iter__ optimization for GzipFile, BZ2File, and LZMAFile. (GH-29016) 2021-10-19 11:51:48 +09:00
mailbox.py
mailcap.py [3.11] gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) (GH-93458) 2022-06-03 08:25:58 -07:00
mimetypes.py bpo-45639: Add webp and avif image formats to mimetypes (#29259) 2022-05-03 15:17:57 -06:00
modulefinder.py bpo-45017: move opcode-related logic from modulefinder to dis (GH-28246) 2021-09-09 14:04:12 +01:00
netrc.py bpo-28806: Continue work: improve the netrc library (GH-26330) 2021-11-17 11:07:54 +02:00
nntplib.py gh-91217: deprecate nntplib (GH-91543) 2022-04-15 12:32:56 -07:00
ntpath.py bpo-42658: Use LCMapStringEx in ntpath.normcase to match OS behaviour for case-folding (GH-93591) 2022-06-10 11:14:25 +01:00
nturl2path.py
numbers.py
opcode.py [3.11] GH-93516: Backport GH-93769 (GH-94231) 2022-06-28 16:30:22 +01:00
operator.py bpo-44019: Add operator.call() to __all__ for the operator module (GH-29110) 2021-10-21 19:05:36 +09:00
optparse.py
os.py gh-87901: Remove the encoding argument from os.popen (GH-92836) 2022-05-18 20:12:47 -07:00
pathlib.py gh-93156 - fix negative indexing into absolute pathlib.PurePath().parents (GH-93273) 2022-06-03 14:57:54 -07:00
pdb.py [3.11] gh-95913: make the new internal classes pdb.ModuleTarget/ScriptTarget private (GH-96053) (#96063) 2022-08-18 14:39:16 +01:00
pickle.py gh-90494: Reject 6th element of the __reduce__() tuple (GH-93609) (GH-93631) 2022-06-10 16:00:19 +02:00
pickletools.py
pipes.py gh-91217: deprecate-pipes (GH-91779) 2022-04-21 19:28:34 -07:00
pkgutil.py [codemod] Fix non-matching bracket pairs (GH-28473) 2021-09-22 01:09:00 +02:00
platform.py gh-90473: Decrease recursion limit and skip tests on WASI (GH-92803) 2022-05-19 08:05:52 -07:00
plistlib.py bpo-40066: [Enum] skip failing doc test (GH-30637) 2022-01-17 07:18:13 -08:00
poplib.py
posixpath.py gh-91838: Resolve more HTTP links which redirect to HTTPS (GH-95650) (GH-95780) 2022-08-10 12:55:50 +02:00
pprint.py bpo-45557: Fix underscore_numbers in pprint.pprint(). (GH-29129) 2021-10-21 16:42:55 -04:00
profile.py
pstats.py
pty.py bpo-26228: [doc] Adapt PTY documentation updates from GH-4167 (GH-27754) 2021-08-13 12:57:07 +02:00
py_compile.py bpo-45428: Fix reading filenames from stdin in py_compile (GH-28848) 2021-10-15 12:38:55 +03:00
pyclbr.py
pydoc.py gh-89828: Do not relay the __class__ attribute in GenericAlias (GH-93754) 2022-06-18 07:41:25 -07:00
queue.py gh-90879: Fix missing parameter for put_nowait() (GH-91514) 2022-04-14 17:23:57 +09:00
quopri.py
random.py bpo-46737: Add default arguments to random.gauss and normalvariate (GH-31360) 2022-02-15 17:12:15 -06:00
reprlib.py bpo-39549: reprlib.Repr uses a “fillvalue” attribute (GH-18343) 2021-09-22 15:45:58 -05:00
rlcompleter.py gh-92345: Import rlcompleter before sys.path is extended (#92346) 2022-05-05 21:24:16 +02:00
runpy.py bpo-26792: Improve docstrings of runpy module run_functions (#30729) 2022-04-29 12:22:46 -06:00
sched.py
secrets.py bpo-47126: Update to canonical PEP URLs specified by PEP 676 (GH-32124) 2022-03-30 12:00:27 +01:00
selectors.py bpo-46583: remove unused sys.version_info check from selectors (GH-31023) 2022-02-02 10:15:02 +02:00
shelve.py
shlex.py
shutil.py gh-94844: Add pathlib support to shutil archive management (GH-94846) 2022-07-20 09:19:35 -07:00
signal.py bpo-27718: Fix help for the signal module (GH-30063) 2021-12-13 11:21:55 +02:00
site.py gh-90473: disable user site packages on WASI/Emscripten (GH-93633) 2022-06-09 09:12:51 -07:00
smtpd.py bpo-47061: use warnings._deprecated() with asynchat, asyncore, and smtpd (GH-32350) 2022-04-06 11:22:39 -07:00
smtplib.py bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) 2021-08-29 16:10:50 +02:00
sndhdr.py gh-91217: deprecate-sndhdr (#91806) 2022-04-22 15:48:03 -07:00
socket.py Grammar fix to socket error string (GH-93523) (GH-93560) 2022-06-07 10:10:24 +02:00
socketserver.py bpo-40280: Disable AF_UNIX, AF_PACKET, SO_REUSE* on Emscripten (#31829) 2022-03-11 23:25:14 +01:00
sre_compile.py bpo-47152: Convert the re module into a package (GH-32177) 2022-04-02 11:35:13 +03:00
sre_constants.py bpo-47152: Convert the re module into a package (GH-32177) 2022-04-02 11:35:13 +03:00
sre_parse.py bpo-47152: Convert the re module into a package (GH-32177) 2022-04-02 11:35:13 +03:00
ssl.py bpo-46604: fix function name in ssl module docstring (#31064) 2022-05-03 09:56:24 -06:00
stat.py
statistics.py Fix typo in _exact_ratio comment. (GH-94789) 2022-07-12 14:57:39 -07:00
string.py bpo-46307: Add string.Template.get_identifiers() method (GH-30493) 2022-01-11 11:15:42 -08:00
stringprep.py
struct.py
subprocess.py gh-95174: Handle missing waitpid and gethostbyname in WASI (GH-95181) 2022-07-23 23:30:39 -07:00
sunau.py gh-91217: deprecate sunau (GH-91866) 2022-04-25 16:26:43 -07:00
symtable.py Change list to view object (GH-93661) 2022-06-11 04:20:52 -07:00
sysconfig.py [3.11] gh-92897: Ensure venv --copies respects source build property of the creating interpreter (GH-92899) (GH-94567) 2022-07-05 16:40:17 +01:00
tabnanny.py
tarfile.py gh-91387: Strip trailing slash from tarfile longname directories (GH-32423) 2022-06-21 11:09:07 -07:00
telnetlib.py gh-91217: deprecate telnetlib (GH-91958) 2022-04-26 10:45:08 -07:00
tempfile.py gh-83499: Fix closing file descriptors in tempfile (GH-93874) 2022-06-26 01:38:06 -07:00
textwrap.py bpo-46544: Do not leak x and uspace in textwrap.TextWrapper (GH-30955) 2022-01-27 13:55:58 +02:00
this.py
threading.py fix threading.Event.isSet() docstring (GH-96297) 2022-08-26 22:32:03 -07:00
timeit.py
token.py
tokenize.py bpo-46565: del loop vars that are leaking into module namespaces (GH-30993) 2022-02-03 11:20:08 +02:00
trace.py
traceback.py [3.11] gh-93883: elide traceback indicators when possible (GH-93994) (GH-94740) 2022-07-11 04:27:29 -07:00
tracemalloc.py
tty.py
turtle.py Fix typo in turtle deprecation warning and use warnings._deprecated (#91862) 2022-05-02 10:57:00 -06:00
types.py gh-89828: Do not relay the __class__ attribute in GenericAlias (GH-93754) 2022-06-18 07:41:25 -07:00
typing.py gh-96385: Correctly raise error on [*T, *V] substitution (GH-96386) (#96407) 2022-08-30 11:58:54 +01:00
uu.py gh-91217: deprecate uu (GH-92009) 2022-04-27 20:26:33 -07:00
uuid.py gh-95174: Handle missing waitpid and gethostbyname in WASI (GH-95181) 2022-07-23 23:30:39 -07:00
warnings.py gh-91230: Concise catch_warnings with simplefilter (#91435) 2022-04-23 17:55:22 -07:00
wave.py gh-47061: Deprecate chunk (GH-91419) 2022-04-11 15:02:41 -07:00
weakref.py Remove unnecessary registration of weakref.WeakSet to _collections_abc.Set (GH-32211) 2022-03-31 09:11:35 -05:00
webbrowser.py bpo-43137: Revert "webbrowser: Don't run gvfs-open on GNOME" (GH-30417) 2022-01-05 11:53:23 +00:00
xdrlib.py gh-91217: deprecate xdrlib (GH-92066) 2022-04-29 18:22:10 -07:00
zipapp.py
zipfile.py gh-95463: Remove backwards incompatible change regarding the _MASK_UTF_FILENAME flags in bpo-28080 (GH-96072) 2022-08-18 17:12:15 -07:00
zipimport.py gh-91181: drop support for bytes on sys.path (GH-31934) 2022-07-16 18:31:25 -07:00