Converting between int
and str
in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError
if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys
APIs. See the integer string conversion length
limitation <int_max_str_digits>
documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.