diff options
| author | Gregory P. Smith <gps@google.com> | 2022-09-02 16:35:08 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-02 16:35:08 (GMT) |
| commit | 511ca9452033ef95bc7d7fc404b8161068226002 (patch) | |
| tree | cefd49e0c9c75f912fa28d05eae15335273aaa8e /Doc/using | |
| parent | 656167db81a53934da55d90ed431449d8a4fc14b (diff) | |
| download | cpython-511ca9452033ef95bc7d7fc404b8161068226002.zip cpython-511ca9452033ef95bc7d7fc404b8161068226002.tar.gz cpython-511ca9452033ef95bc7d7fc404b8161068226002.tar.bz2 | |
gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499)
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.
This PR comes fresh from a pile of work done in our private PSRT security response team repo.
Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#). Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.
Diffstat (limited to 'Doc/using')
| -rw-r--r-- | Doc/using/cmdline.rst | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/Doc/using/cmdline.rst b/Doc/using/cmdline.rst index fa2b07e..6a33d98 100644 --- a/Doc/using/cmdline.rst +++ b/Doc/using/cmdline.rst @@ -505,6 +505,9 @@ Miscellaneous options stored in a traceback of a trace. Use ``-X tracemalloc=NFRAME`` to start tracing with a traceback limit of *NFRAME* frames. See the :func:`tracemalloc.start` for more information. + * ``-X int_max_str_digits`` configures the :ref:`integer string conversion + length limitation <int_max_str_digits>`. See also + :envvar:`PYTHONINTMAXSTRDIGITS`. * ``-X importtime`` to show how long each import takes. It shows module name, cumulative time (including nested imports) and self time (excluding nested imports). Note that its output may be broken in multi-threaded @@ -583,6 +586,9 @@ Miscellaneous options The ``-X frozen_modules`` option. .. versionadded:: 3.12 + The ``-X int_max_str_digits`` option. + + .. versionadded:: 3.12 The ``-X perf`` option. @@ -763,6 +769,13 @@ conflict. .. versionadded:: 3.2.3 +.. envvar:: PYTHONINTMAXSTRDIGITS + + If this variable is set to an integer, it is used to configure the + interpreter's global :ref:`integer string conversion length limitation + <int_max_str_digits>`. + + .. versionadded:: 3.12 .. envvar:: PYTHONIOENCODING |