languages/cpython
languages/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython synced 2024-07-19 19:54:39 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity
cpython/Lib
History
Gregory P. Smith 511ca94520
gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#). Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.
2022-09-02 09:35:08 -07:00
..
__phello__ bpo-45020: Add more test cases for frozen modules. (gh-28664) 2021-09-30 18:38:52 -06:00
asyncio GH-74116: Allow multiple drain waiters for asyncio.StreamWriter (GH-94705) 2022-08-29 11:31:11 -07:00
collections bpo-39264: Fix UserDict.get() to account for __missing__() (GH-17910) 2022-05-10 14:23:45 -07:00
concurrent gh-95166: cancel map waited on future on timeout (GH-95169) 2022-07-28 11:20:10 +02:00
ctypes gh-92869: ctypes: Add c_time_t (#92870) 2022-07-03 11:58:02 -07:00
curses bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
dbm bpo-40563: Support pathlike objects on dbm/shelve (GH-21849) 2021-09-10 15:26:16 +03:00
distutils gh-90473: Fix more tests on platforms without umask (GH-95164) 2022-07-23 12:26:31 +02:00
email gh-95087: Fix IndexError in parsing invalid date in the email module (GH-95201) 2022-07-25 09:17:25 +03:00
encodings bpo-46659: Fix the MBCS codec alias on Windows (GH-31218) 2022-02-22 22:04:07 +01:00
ensurepip gh-95609: update bundled pip to 22.2.2 (gh-95610) 2022-08-03 20:26:51 +01:00
html gh-95813: Improve HTMLParser from the view of inheritance (#95874) 2022-08-18 13:16:33 +02:00
http gh-95149: Enhance http.HTTPStatus with properties that indicate the HTTP status category (GH-95453) 2022-08-30 11:11:44 -07:00
idlelib gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
importlib gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
json GH-96145: Add AttrDict to JSON module for use with object_hook (#96146) 2022-08-23 16:22:00 -05:00
lib2to3 gh-54781: Move Lib/lib2to3/tests/ to Lib/test/test_lib2to3/ (#94049) 2022-06-21 15:21:22 +02:00
logging gh-89258: Add a getChildren() method to logging.Logger. (GH-96444) 2022-08-31 10:50:29 +01:00
msilib gh-91217: deprecate msilib (GH-91515) 2022-04-14 12:50:11 -07:00
multiprocessing GH-83658: make multiprocessing.Pool raise an exception if maxtasksperchild is not None or a positive int (GH-93364) 2022-06-17 00:14:26 -07:00
pydoc_data Python 3.11.0b1 2022-05-06 23:53:50 +01:00
re gh-91404: Revert "bpo-23689: re module, fix memory leak when a match is terminated by a signal or allocation failure (GH-32283) (#93882) 2022-06-17 01:19:44 -07:00
site-packages
sqlite3 gh-95273: Improve sqlite3.complete_statement docs (#95840) 2022-08-12 01:05:12 +02:00
test gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
tkinter gh-54781: Move Lib/tkinter/test/test_ttk/ to Lib/test/test_ttk/ (#94070) 2022-06-22 22:23:37 +02:00
tomllib bpo-40059: Add tomllib (PEP-680) (GH-31498) 2022-03-08 09:26:13 +01:00
turtledemo
unittest gh-95736: Fix event loop creation in IsolatedAsyncioTestCase (GH-96033) 2022-08-17 02:05:17 -07:00
urllib gh-95865: Speed up urllib.parse.quote_from_bytes() (GH-95872) 2022-08-30 21:39:51 -04:00
venv gh-93858: Prevent error when activating venv in nested fish instances (GH-93931) 2022-06-27 16:26:02 +01:00
wsgiref gh-95105: Return Iterator from wsgiref.types.InputStream.__iter__ (#95106) 2022-07-21 13:26:04 -07:00
xml gh-96175: add missing self._localName assignment in xml.dom.minidom.Attr (#96176) 2022-08-23 09:16:02 -07:00
xmlrpc bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
zoneinfo bpo-46124: Update zoneinfo to rely on importlib.resources traversable API. (GH-30190) 2022-01-21 13:18:31 -08:00
__future__.py gh-93626: Set the release for __future__.annotations to None (GH-93628) 2022-07-05 10:46:39 +02:00
__hello__.py bpo-47084: Clear Unicode cached representations on finalization (GH-32032) 2022-03-22 13:53:51 +01:00
_aix_support.py
_collections_abc.py Add notes for maintaining ABCs (#92736) 2022-05-12 13:18:39 -05:00
_compat_pickle.py bpo-46565: del loop vars that are leaking into module namespaces (GH-30993) 2022-02-03 11:20:08 +02:00
_compression.py
_markupbase.py
_osx_support.py [codemod] Fix non-matching bracket pairs (GH-28473) 2021-09-22 01:09:00 +02:00
_py_abc.py
_pydecimal.py gh-91291: Accept attributes as keyword arguments in decimal.localcontext (#32242) 2022-04-21 21:27:15 -07:00
_pyio.py gh-94169: Remove deprecated io.OpenWrapper (#94170) 2022-06-24 08:46:53 +02:00
_sitebuiltins.py
_strptime.py
_threading_local.py
_weakrefset.py bpo-26579: Add object.__getstate__(). (GH-2821) 2022-04-06 20:00:14 +03:00
abc.py bpo-43827: Make arguments to abc.ABCMeta.__new__ pos-only (#25385) 2022-05-05 06:40:01 -07:00
aifc.py gh-47061: Deprecate chunk (GH-91419) 2022-04-11 15:02:41 -07:00
antigravity.py
argparse.py gh-92445 Improve interaction between nargs="*" and choices() (GH-92565) 2022-08-25 06:18:38 -05:00
ast.py ast.parse: check feature_version common case first (GH-94640) 2022-08-29 17:05:24 +03:00
asynchat.py bpo-47061: use warnings._deprecated() with asynchat, asyncore, and smtpd (GH-32350) 2022-04-06 11:22:39 -07:00
asyncore.py bpo-47061: use warnings._deprecated() with asynchat, asyncore, and smtpd (GH-32350) 2022-04-06 11:22:39 -07:00
base64.py gh-93096: Remove python -m base64 -t (gh-94230) 2022-07-02 15:53:43 +09:00
bdb.py
bisect.py
bz2.py bpo-45475: Revert __iter__ optimization for GzipFile, BZ2File, and LZMAFile. (GH-29016) 2021-10-19 11:51:48 +09:00
calendar.py bpo-46659: Enhance LocaleTextCalendar for C locale (GH-31214) 2022-02-24 14:29:08 +01:00
cgi.py bpo-47061: deprecate cgi and cgitb (GH-32410) 2022-04-08 17:15:35 -07:00
cgitb.py bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
chunk.py gh-47061: Deprecate chunk (GH-91419) 2022-04-11 15:02:41 -07:00
cmd.py gh-67248: cmd: Sort miscellaneous help topics (#92254) 2022-05-03 21:36:52 -06:00
code.py
codecs.py gh-93096: Remove python -m codecs (gh-94233) 2022-07-02 14:45:31 +09:00
codeop.py Remove trailing spaces (GH-31695) 2022-03-05 17:47:00 +02:00
colorsys.py
compileall.py Fixed documentation typo in compileall.py (GH-29912) 2021-12-05 00:38:17 +09:00
configparser.py gh-89336: Remove configparser APIs that were deprecated for 3.12 (#92503) 2022-06-21 14:31:25 -07:00
contextlib.py gh-92118: fix traceback of exceptions propagated from inside a contextlib.contextmanager (GH-92202) 2022-05-04 19:40:47 +01:00
contextvars.py
copy.py gh-90494: Reject 6th element of the __reduce__() tuple (GH-93609) 2022-06-09 10:12:43 +03:00
copyreg.py bpo-26579: Add object.__getstate__(). (GH-2821) 2022-04-06 20:00:14 +03:00
cProfile.py bpo-34861: Make cumtime the default sorting key for cProfile (GH-31929) 2022-03-30 12:10:10 +01:00
crypt.py gh-95231: Disable md5 & crypt modules if FIPS is enabled (GH-94742) 2022-08-15 07:48:07 -07:00
csv.py gh-76728: Coerce DictReader and DictWriter fieldnames argument to a list (GH-32225) 2022-08-25 05:13:24 -05:00
dataclasses.py Fix minor docstring issues in dataclasses.py. (gh-93024) 2022-07-26 10:48:58 -04:00
datetime.py gh-69142: add %:z strftime format code (gh-95983) 2022-08-28 14:27:42 -07:00
decimal.py
difflib.py Correct method name typo (#91970) 2022-04-27 15:28:56 -06:00
dis.py bpo-40222: Mark exception table function in the dis module as private (#95961) 2022-08-14 15:42:31 +01:00
doctest.py bpo-28249: fix lineno location for empty DocTest instances (GH-30498) 2022-05-19 17:46:15 +02:00
enum.py gh-95149: Enhance http.HTTPStatus with properties that indicate the HTTP status category (GH-95453) 2022-08-30 11:11:44 -07:00
filecmp.py gh-93991: Use boolean instead of 0/1 for condition check (GH-93992) 2022-06-19 07:12:59 -07:00
fileinput.py gh-93157: Fix fileinput didn't support errors in inplace mode (GH-95128) 2022-07-24 11:42:11 +09:00
fnmatch.py gh-89973: Fix re.error in the fnmatch module. (GH-93072) 2022-06-05 11:46:29 +03:00
fractions.py Allow whitespace around a slash in fraction string inputs (GH-96496) 2022-09-02 11:10:58 -05:00
ftplib.py bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
functools.py gh-89828: Do not relay the __class__ attribute in GenericAlias (#93754) 2022-06-18 11:34:57 +03:00
genericpath.py
getopt.py bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
getpass.py
gettext.py
glob.py bpo-37578: glob.glob -- added include_hidden parameter (GH-30153) 2021-12-18 06:23:34 -08:00
graphlib.py bpo-45359: Support TopologicalSorter type subscript (GH-28714) 2021-12-08 20:52:57 +02:00
gzip.py gh-94196: Remove gzip.GzipFile.filename attribute (#94197) 2022-06-24 11:59:32 +02:00
hashlib.py gh-94199: Remove hashlib.pbkdf2_hmac() Python implementation (GH-94200) 2022-06-28 11:51:13 +02:00
heapq.py Update: usage doc for heappushpop (GH-91451) 2022-04-17 23:12:33 -05:00
hmac.py
imaplib.py
imghdr.py gh-91217: deprecate imghdr (#91461) 2022-04-13 10:47:41 -07:00
imp.py bpo-45019: Do some cleanup related to frozen modules. (gh-28319) 2021-09-13 16:18:37 -06:00
inspect.py bpo-33587: inspect.getsource: reorder stat on file in linecache (GH-6805) 2022-08-26 15:20:48 +01:00
io.py gh-94169: Remove deprecated io.OpenWrapper (#94170) 2022-06-24 08:46:53 +02:00
ipaddress.py bpo-46415: Use f-string for ValueError in ipaddress.ip_{address,network,interface} helper functions (#30642) 2022-05-03 06:12:58 -06:00
keyword.py
linecache.py gh-92336: linecache.getline should not raise exceptions on decoding errors (GH-94410) 2022-06-30 10:18:18 +01:00
locale.py gh-94226: Remove the locale.format() function (#94229) 2022-06-26 12:41:19 +02:00
lzma.py bpo-45475: Revert __iter__ optimization for GzipFile, BZ2File, and LZMAFile. (GH-29016) 2021-10-19 11:51:48 +09:00
mailbox.py
mailcap.py gh-68966: Make mailcap refuse to match unsafe filenames/types/params (GH-91993) 2022-06-03 11:43:35 +02:00
mimetypes.py bpo-45639: Add webp and avif image formats to mimetypes (#29259) 2022-05-03 15:17:57 -06:00
modulefinder.py bpo-45017: move opcode-related logic from modulefinder to dis (GH-28246) 2021-09-09 14:04:12 +01:00
netrc.py netrc: Remove unused "import shlex" (#93311) 2022-06-03 20:14:58 -07:00
nntplib.py gh-91217: deprecate nntplib (GH-91543) 2022-04-15 12:32:56 -07:00
ntpath.py gh-81790: support "UNC" device paths in ntpath.splitdrive() (GH-91882) 2022-06-10 16:59:55 +01:00
nturl2path.py
numbers.py Fix numbers.Real.__rdivmod__ doc string (#31991) 2022-05-13 09:49:36 -05:00
opcode.py gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
operator.py bpo-44019: Add operator.call() to __all__ for the operator module (GH-29110) 2021-10-21 19:05:36 +09:00
optparse.py
os.py gh-87901: Remove the encoding argument from os.popen (GH-92836) 2022-05-19 11:42:43 +09:00
pathlib.py gh-94909: fix joining of absolute and relative Windows paths in pathlib (GH-95450) 2022-08-12 14:23:41 -07:00
pdb.py gh-95913: make the new internal classes pdb.ModuleTarget/ScriptTarget private (GH-96053) 2022-08-18 11:16:07 +01:00
pickle.py gh-90494: Reject 6th element of the __reduce__() tuple (GH-93609) 2022-06-09 10:12:43 +03:00
pickletools.py
pipes.py gh-91217: deprecate-pipes (GH-91779) 2022-04-21 19:28:34 -07:00
pkgutil.py [codemod] Fix non-matching bracket pairs (GH-28473) 2021-09-22 01:09:00 +02:00
platform.py gh-94713 - Replacing while 1 with while True (#94714) 2022-07-12 22:53:14 -05:00
plistlib.py bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
poplib.py
posixpath.py gh-91838: Resolve more HTTP links which redirect to HTTPS (GH-95650) 2022-08-08 14:00:17 +03:00
pprint.py gh-92546: Move pprint benchmark into pyperformance (GH-94613) 2022-07-25 11:30:13 -07:00
profile.py
pstats.py
pty.py bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
py_compile.py bpo-45428: Fix reading filenames from stdin in py_compile (GH-28848) 2021-10-15 12:38:55 +03:00
pyclbr.py
pydoc.py gh-94318: Strip trailing spaces in pydoc text output (GH-94319) 2022-06-27 13:33:34 +03:00
queue.py gh-90879: Fix missing parameter for put_nowait() (GH-91514) 2022-04-14 17:23:57 +09:00
quopri.py
random.py bpo-37000: Remove obsolete comment in _randbelow_with_getrandbits (#95775) 2022-08-08 18:22:26 -05:00
reprlib.py gh-94343: Ease initialization of reprlib.Repr attributes (GH-94581) 2022-07-07 09:55:33 -05:00
rlcompleter.py gh-92345: Import rlcompleter before sys.path is extended (#92346) 2022-05-05 21:24:16 +02:00
runpy.py bpo-26792: Improve docstrings of runpy module run_functions (#30729) 2022-04-29 12:22:46 -06:00
sched.py
secrets.py bpo-47126: Update to canonical PEP URLs specified by PEP 676 (GH-32124) 2022-03-30 12:00:27 +01:00
selectors.py bpo-46583: remove unused sys.version_info check from selectors (GH-31023) 2022-02-02 10:15:02 +02:00
shelve.py
shlex.py gh-94352: shlex.split() no longer accepts None (#94353) 2022-07-04 15:29:19 +02:00
shutil.py gh-94844: Add pathlib support to shutil archive management (GH-94846) 2022-07-20 18:55:12 +03:00
signal.py bpo-27718: Fix help for the signal module (GH-30063) 2021-12-13 11:21:55 +02:00
site.py gh-90473: disable user site packages on WASI/Emscripten (GH-93633) 2022-06-09 17:45:29 +02:00
smtplib.py bpo-43124: Fix smtplib multiple CRLF injection (GH-25987) 2021-08-29 16:10:50 +02:00
sndhdr.py gh-91217: deprecate-sndhdr (#91806) 2022-04-22 15:48:03 -07:00
socket.py gh-96320: WASI socket fixes (#96388) 2022-08-30 06:36:11 +02:00
socketserver.py bpo-40280: Disable AF_UNIX, AF_PACKET, SO_REUSE* on Emscripten (#31829) 2022-03-11 23:25:14 +01:00
sre_compile.py bpo-47152: Convert the re module into a package (GH-32177) 2022-04-02 11:35:13 +03:00
sre_constants.py bpo-47152: Convert the re module into a package (GH-32177) 2022-04-02 11:35:13 +03:00
sre_parse.py bpo-47152: Convert the re module into a package (GH-32177) 2022-04-02 11:35:13 +03:00
ssl.py gh-94199: Remove the ssl.wrap_socket() function (#94203) 2022-07-08 15:20:15 +02:00
stat.py
statistics.py Improve accuracy for Spearman's rank correlation coefficient. (#96392) 2022-08-29 12:19:48 -05:00
string.py bpo-46307: Add string.Template.get_identifiers() method (GH-30493) 2022-01-11 11:15:42 -08:00
stringprep.py
struct.py
subprocess.py gh-95174: Handle missing waitpid and gethostbyname in WASI (GH-95181) 2022-07-24 08:04:06 +02:00
sunau.py bpo-44712: Replace "type(literal)" with corresponding builtin types (GH-27294) 2022-05-08 17:10:11 +03:00
symtable.py Change list to view object (#93661) 2022-06-11 11:54:31 +01:00
sysconfig.py gh-92897: Ensure venv --copies respects source build property of the creating interpreter (GH-92899) 2022-07-05 16:08:20 +01:00
tabnanny.py
tarfile.py bpo-26253: Add compressionlevel to tarfile stream (GH-2962) 2022-06-25 11:43:54 +03:00
telnetlib.py gh-91217: deprecate telnetlib (GH-91958) 2022-04-26 10:45:08 -07:00
tempfile.py gh-83499: Fix closing file descriptors in tempfile (GH-93874) 2022-06-26 10:58:28 +03:00
textwrap.py bpo-46544: Do not leak x and uspace in textwrap.TextWrapper (GH-30955) 2022-01-27 13:55:58 +02:00
this.py
threading.py gh-96349: fix minor performance regression initializing threading.Event (gh-96350) 2022-08-30 21:10:02 +09:00
timeit.py
token.py
tokenize.py bpo-46565: del loop vars that are leaking into module namespaces (GH-30993) 2022-02-03 11:20:08 +02:00
trace.py
traceback.py gh-87822: Make traceback module robust to exceptions from repr() of local values (GH-94691) 2022-07-11 10:14:15 +01:00
tracemalloc.py
tty.py
turtle.py Fix typo in turtle deprecation warning and use warnings._deprecated (#91862) 2022-05-02 10:57:00 -06:00
types.py gh-89828: Do not relay the __class__ attribute in GenericAlias (#93754) 2022-06-18 11:34:57 +03:00
typing.py GH-96079 Fix missing field name for _AnnotatedAlias (#96080) 2022-08-31 16:02:24 -07:00
uu.py gh-91217: deprecate uu (GH-92009) 2022-04-27 20:26:33 -07:00
uuid.py gh-95174: Handle missing waitpid and gethostbyname in WASI (GH-95181) 2022-07-24 08:04:06 +02:00
warnings.py gh-91230: Concise catch_warnings with simplefilter (#91435) 2022-04-23 17:55:22 -07:00
wave.py gh-47061: Deprecate chunk (GH-91419) 2022-04-11 15:02:41 -07:00
weakref.py Remove unnecessary registration of weakref.WeakSet to _collections_abc.Set (GH-32211) 2022-03-31 09:11:35 -05:00
webbrowser.py bpo-43137: Revert "webbrowser: Don't run gvfs-open on GNOME" (GH-30417) 2022-01-05 11:53:23 +00:00
xdrlib.py gh-91217: deprecate xdrlib (GH-92066) 2022-04-29 18:22:10 -07:00
zipapp.py bpo-46951: Order contents of zipapps (GH-31713) 2022-05-27 19:04:29 +03:00
zipfile.py gh-95463: Remove backwards incompatible change regarding the _MASK_UTF_FILENAME flags in bpo-28080 (GH-96072) 2022-08-18 16:45:55 -07:00
zipimport.py gh-91181: drop support for bytes on sys.path (GH-31934) 2022-07-16 18:07:53 -07:00