diff options
author | C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM> | 2022-10-17 01:43:13 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-10-17 01:43:13 (GMT) |
commit | bb38b39b339191c5fc001c8fbfbc3037c13bc7bb (patch) | |
tree | d9c6c0662f60267f65fe590fc786e4ecfdd3fbee | |
parent | ae192178679c532e2c1b2d3b8c0928b77e0fe90e (diff) | |
download | cpython-bb38b39b339191c5fc001c8fbfbc3037c13bc7bb.zip cpython-bb38b39b339191c5fc001c8fbfbc3037c13bc7bb.tar.gz cpython-bb38b39b339191c5fc001c8fbfbc3037c13bc7bb.tar.bz2 |
gh-95913: Forward-port int/str security change to 3.11 What's New in main (#98344)
Add int/str security change from issue gh-95778 PRs gh-96499 / gh-95800
Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]
-rw-r--r-- | Doc/whatsnew/3.11.rst | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/Doc/whatsnew/3.11.rst b/Doc/whatsnew/3.11.rst index 56a35f4..73e23a1 100644 --- a/Doc/whatsnew/3.11.rst +++ b/Doc/whatsnew/3.11.rst @@ -530,6 +530,17 @@ Other CPython Implementation Changes and with the new :option:`--help-all`. (Contributed by Éric Araujo in :issue:`46142`.) +* Converting between :class:`int` and :class:`str` in bases other than 2 + (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) + now raises a :exc:`ValueError` if the number of digits in string form is + above a limit to avoid potential denial of service attacks due to the + algorithmic complexity. This is a mitigation for `CVE-2020-10735 + <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. + This limit can be configured or disabled by environment variable, command + line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion + length limitation <int_max_str_digits>` documentation. The default limit + is 4300 digits in string form. + .. _whatsnew311-new-modules: |