mirror of
https://github.com/python/cpython
synced 2024-10-14 18:31:31 +00:00
gh-95913: Forward-port int/str security change to 3.11 What's New in main (#98344)
Add int/str security change from issue gh-95778 PRs gh-96499 / gh-95800 Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
This commit is contained in:
parent
ae19217867
commit
bb38b39b33
|
@ -530,6 +530,17 @@ Other CPython Implementation Changes
|
|||
and with the new :option:`--help-all`.
|
||||
(Contributed by Éric Araujo in :issue:`46142`.)
|
||||
|
||||
* Converting between :class:`int` and :class:`str` in bases other than 2
|
||||
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
|
||||
now raises a :exc:`ValueError` if the number of digits in string form is
|
||||
above a limit to avoid potential denial of service attacks due to the
|
||||
algorithmic complexity. This is a mitigation for `CVE-2020-10735
|
||||
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
|
||||
This limit can be configured or disabled by environment variable, command
|
||||
line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
|
||||
length limitation <int_max_str_digits>` documentation. The default limit
|
||||
is 4300 digits in string form.
|
||||
|
||||
|
||||
.. _whatsnew311-new-modules:
|
||||
|
||||
|
|
Loading…
Reference in a new issue