-
-
Notifications
You must be signed in to change notification settings - Fork 29.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3.8] gh-95778: CVE-2020-10735: Prevent DoS by very large int() #96503
Commits on Aug 24, 2022
-
Backport to 3.8 of psrt/CVE-2020-10735-3.10backport.
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Configuration menu - View commit details
-
Copy full SHA for b518238 - Browse repository at this point
Copy the full SHA b518238View commit details
Commits on Aug 30, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 504e82f - Browse repository at this point
Copy the full SHA 504e82fView commit details -
Configuration menu - View commit details
-
Copy full SHA for cae5eba - Browse repository at this point
Copy the full SHA cae5ebaView commit details -
Backport the Parser/pegen.c change for a good SyntaxError to ast.c.
Fixes test_ast and test_compile.
Configuration menu - View commit details
-
Copy full SHA for cd54fc3 - Browse repository at this point
Copy the full SHA cd54fc3View commit details -
Configuration menu - View commit details
-
Copy full SHA for eb68f9c - Browse repository at this point
Copy the full SHA eb68f9cView commit details
Commits on Sep 1, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 75bbbbf - Browse repository at this point
Copy the full SHA 75bbbbfView commit details -
Move the whatsnew text per review.
Ned pointed this out on the 3.7 branch, it matches other patch changes and stands out better.
Configuration menu - View commit details
-
Copy full SHA for 14467fc - Browse repository at this point
Copy the full SHA 14467fcView commit details -
Merge branch 'CVE-2020-10735-3.8backport' of github.com:python/psrt i…
…nto CVE-2020-10735-3.8backport
Configuration menu - View commit details
-
Copy full SHA for 1e39232 - Browse repository at this point
Copy the full SHA 1e39232View commit details -
Configuration menu - View commit details
-
Copy full SHA for 70b9aef - Browse repository at this point
Copy the full SHA 70b9aefView commit details
Commits on Sep 2, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 7eb255f - Browse repository at this point
Copy the full SHA 7eb255fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0504ecb - Browse repository at this point
Copy the full SHA 0504ecbView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8acc891 - Browse repository at this point
Copy the full SHA 8acc891View commit details
Commits on Sep 4, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 52f2c26 - Browse repository at this point
Copy the full SHA 52f2c26View commit details -
Configuration menu - View commit details
-
Copy full SHA for 510349b - Browse repository at this point
Copy the full SHA 510349bView commit details -
remove unneeded doc note on float.as_integer_ratio
Per mdickinson@'s comment on the main branch PR.
Configuration menu - View commit details
-
Copy full SHA for ac99726 - Browse repository at this point
Copy the full SHA ac99726View commit details -
pythongh-95778: Correctly pre-check for int-to-str conversion (python…
…#96537) Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =) The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact. The justification for the current check. The C code check is: ```c max_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10 ``` In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is: $$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$ From this it follows that $$\frac{M}{3L} < \frac{s-1}{10}$$ hence that $$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$ So $$2^{L(s-1)} > 10^M.$$ But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check. <!-- gh-issue-number: pythongh-95778 --> * Issue: pythongh-95778 <!-- /gh-issue-number --> Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>
Configuration menu - View commit details
-
Copy full SHA for 17bd053 - Browse repository at this point
Copy the full SHA 17bd053View commit details -
Configuration menu - View commit details
-
Copy full SHA for c9212d5 - Browse repository at this point
Copy the full SHA c9212d5View commit details