languages/cpython
languages/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython synced 2024-10-06 13:07:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
cpython/Objects
History
Gregory P. Smith 511ca94520
gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.

This PR comes fresh from a pile of work done in our private PSRT security response team repo.

Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).

<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->

I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#). Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.
2022-09-02 09:35:08 -07:00
..
clinic gh-90928: Improve static initialization of keywords tuple in AC (#95907) 2022-08-13 12:09:40 +02:00
stringlib gh-90928: Improve static initialization of keywords tuple in AC (#95907) 2022-08-13 12:09:40 +02:00
abstract.c gh-93741: Add private C API _PyImport_GetModuleAttrString() (GH-93742) 2022-06-14 07:15:26 +03:00
asm_trampoline.S gh-96143: Allow Linux perf profiler to see Python calls (GH-96123) 2022-08-30 10:11:18 -07:00
boolobject.c GH-90699: fix ref counting of static immortal strings (gh-94850) 2022-07-20 15:23:30 +09:00
bytearrayobject.c GH-91153: Handle mutating __index__ methods in bytearray item assignment (GH-94891) 2022-07-19 09:42:40 -07:00
bytes_methods.c gh-93033: Use wmemchr in stringlib (GH-93034) 2022-05-24 10:45:31 +09:00
bytesobject.c GH-93207: Remove HAVE_STDARG_PROTOTYPES configure check for stdarg.h (#93215) 2022-05-27 13:30:45 +02:00
call.c gh-93274: Expose receiving vectorcall in the Limited API (GH-95717) 2022-08-08 14:12:05 +02:00
capsule.c bpo-45855: document that no_block has no use anymore in PyCapsule_Import (#29665) 2021-12-12 10:49:50 +01:00
cellobject.c gh-89653: PEP 670: Convert PyCell macros to functions (#92653) 2022-05-11 23:24:48 +02:00
classobject.c bpo-46764: Fix wrapping bound method with @classmethod (#31367) 2022-05-04 23:00:21 -05:00
codeobject.c GH-96187: Prevent _PyCode_GetExtra to return garbage for negative indexes (GH-96188) 2022-08-23 11:13:53 +01:00
complexobject.c bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
descrobject.c gh-87995: Make MappingProxyType hashable (GH-94252) 2022-06-28 11:54:58 +02:00
dictnotes.txt bpo-46845: Reduce dict size when all keys are Unicode (GH-31564) 2022-03-02 08:09:28 +09:00
dictobject.c Remove dead code in _PyDict_GetItemHint and rename to _PyDict_LookupIndex (GH-95948) 2022-08-18 10:19:21 +01:00
enumobject.c bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
exception_handling_notes.txt gh-96455: update example in exception_handling_notes.txt to the 3.11RC bytecode (GH-96456) 2022-09-01 14:21:39 +01:00
exceptions.c gh-96005: Handle WASI ENOTCAPABLE in getpath (GH-96006) 2022-08-16 20:20:15 +02:00
fileobject.c gh-93741: Add private C API _PyImport_GetModuleAttrString() (GH-93742) 2022-06-14 07:15:26 +03:00
floatobject.c gh-95605: Fix float(s) error message when s contains only whitespace (GH-95665) 2022-08-10 19:25:39 +01:00
frame_layout.md GH-89480: Document motivation, design and implementation of 3.11 frame stack. (GH-32304) 2022-04-11 16:05:20 +01:00
frameobject.c gh-93554: Conditional jump opcodes only jump forward (GH-96318) 2022-09-01 21:36:47 +01:00
funcobject.c Fix the closure argument to PyEval_EvalCodeEx. (GH-92175) 2022-05-02 14:08:22 -06:00
genericaliasobject.c gh-94607: Fix subclassing generics (GH-94610) 2022-07-09 12:18:01 +08:00
genobject.c GH-90997: Wrap yield from/await in a virtual try/except StopIteration (GH-96010) 2022-08-19 12:33:44 -07:00
interpreteridobject.c bpo-35081: Move interpreteridobject.h to Include/internal/ (GH-28969) 2021-10-15 11:56:34 +02:00
iterobject.c bpo-46541: Replace core use of _Py_IDENTIFIER() with statically initialized global objects. (gh-30928) 2022-02-08 13:39:07 -07:00
listobject.c gh-91247: Use memcpy for list and tuple repeat (#91482) 2022-07-25 22:10:23 -04:00
listsort.txt Fix typos in the Objects directory (GH-28766) 2021-10-06 16:57:10 -07:00
lnotab_notes.txt bpo-44525: Split calls into PRECALL and CALL (GH-30011) 2021-12-14 18:22:44 +00:00
locations.md GH-88116: Use a compact format to represent end line and column offsets. (GH-91666) 2022-04-21 16:10:37 +01:00
longobject.c gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499) 2022-09-02 09:35:08 -07:00
memoryobject.c gh-92888: Fix memoryview bad __index__ use after free (GH-92946) 2022-06-17 23:14:53 +08:00
methodobject.c Use static inline function Py_EnterRecursiveCall() (#91988) 2022-05-04 13:30:23 +02:00
moduleobject.c no-issue: Add assertion to PyModule_GetName for understanding (GH-32236) 2022-04-02 09:56:30 +09:00
namespaceobject.c bpo-45482: Rename namespaceobject.h to pycore_namespace.h (GH-28975) 2021-10-15 15:21:21 +02:00
object.c GH-95707: Fix uses of Py_TPFLAGS_MANAGED_DICT (GH-95854) 2022-08-15 12:29:27 +01:00
object_layout.md GH-96068: Document object layout (GH-96069) 2022-08-23 13:55:43 +01:00
object_layout_312.gv GH-96068: Document object layout (GH-96069) 2022-08-23 13:55:43 +01:00
object_layout_312.png GH-96068: Document object layout (GH-96069) 2022-08-23 13:55:43 +01:00
object_layout_full_312.gv GH-96068: Document object layout (GH-96069) 2022-08-23 13:55:43 +01:00
object_layout_full_312.png GH-96068: Document object layout (GH-96069) 2022-08-23 13:55:43 +01:00
obmalloc.c gh-94841: Ensure arena_map_get() is inlined in PyObject_Free() (#94842) 2022-07-14 11:33:25 -07:00
odictobject.c gh-91320: Use _PyCFunction_CAST() (#92251) 2022-05-03 21:42:14 +02:00
perf_trampoline.c gh-96143: Add some comments and minor fixes missed in the original PR (#96433) 2022-08-30 19:37:22 +01:00
picklebufobject.c gh-91118: Fix docstrings that do not honor --without-doc-strings (#31769) 2022-04-17 20:39:32 -07:00
rangeobject.c GH-91432: Specialize FOR_ITER (GH-91713) 2022-06-21 11:19:26 +01:00
README Issue #18093: Factor out the programs that embed the runtime 2014-07-25 21:52:14 +10:00
setobject.c gh-90861: Memory optimization for set.issubset (gh-92799) 2022-05-14 17:58:19 +09:00
sliceobject.c GH-94163: Add BINARY_SLICE and STORE_SLICE instructions. (GH-94168) 2022-06-27 12:24:23 +01:00
structseq.c gh-94673: Add Per-Interpreter tp_subclasses for Static Builtin Types (gh-95301) 2022-08-04 19:26:59 -06:00
tupleobject.c gh-91247: Use memcpy for list and tuple repeat (#91482) 2022-07-25 22:10:23 -04:00
typeobject.c gh-96046: Initialize ht_cached_keys in PyType_Ready() (GH-96047) 2022-08-21 22:24:03 -07:00
typeslots.inc bpo-41073: PyType_GetSlot() can now accept static types. (GH-21931) 2020-11-10 12:53:46 -08:00
typeslots.py bpo-41073: PyType_GetSlot() can now accept static types. (GH-21931) 2020-11-10 12:53:46 -08:00
unicodectype.c bpo-46670: Remove unused macros in the Objects directory (GH-31193) 2022-02-07 16:21:41 +01:00
unicodeobject.c GH-96075: move interned dict under runtime state (GH-96077) 2022-08-22 12:05:21 -07:00
unicodetype_db.h closes bpo-45190: Update Unicode data to version 14.0.0. (GH-28336) 2021-09-14 11:00:38 -07:00
unionobject.c gh-91603: Speed up isinstance/issubclass on union types (GH-91631) 2022-04-28 23:24:19 +08:00
weakrefobject.c gh-94673: Add Per-Interpreter tp_weaklist for Static Builtin Types (#95302) 2022-07-28 19:23:47 -06:00

README 

Source files for various builtin objects