diff options
| -rw-r--r-- | Doc/library/functions.rst | 2 | ||||
| -rw-r--r-- | Doc/library/json.rst | 2 | ||||
| -rw-r--r-- | Doc/library/stdtypes.rst | 4 | ||||
| -rw-r--r-- | Doc/library/sys.rst | 8 | ||||
| -rw-r--r-- | Doc/library/test.rst | 2 | ||||
| -rw-r--r-- | Doc/using/cmdline.rst | 4 | ||||
| -rw-r--r-- | Doc/whatsnew/3.12.rst | 11 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst | 14 |
8 files changed, 11 insertions, 36 deletions
diff --git a/Doc/library/functions.rst b/Doc/library/functions.rst index b9cf02e..ccb691d 100644 --- a/Doc/library/functions.rst +++ b/Doc/library/functions.rst @@ -910,7 +910,7 @@ are always available. They are listed here in alphabetical order. .. versionchanged:: 3.11 The delegation to :meth:`__trunc__` is deprecated. - .. versionchanged:: 3.12 + .. versionchanged:: 3.11 :class:`int` string inputs and string representations can be limited to help avoid denial of service attacks. A :exc:`ValueError` is raised when the limit is exceeded while converting a string *x* to an :class:`int` or diff --git a/Doc/library/json.rst b/Doc/library/json.rst index d05d62e..de02be8 100644 --- a/Doc/library/json.rst +++ b/Doc/library/json.rst @@ -258,7 +258,7 @@ Basic Usage be used to use another datatype or parser for JSON integers (e.g. :class:`float`). - .. versionchanged:: 3.12 + .. versionchanged:: 3.11 The default *parse_int* of :func:`int` now limits the maximum length of the integer string via the interpreter's :ref:`integer string conversion length limitation <int_max_str_digits>` to help avoid denial diff --git a/Doc/library/stdtypes.rst b/Doc/library/stdtypes.rst index be09236..ad4b90b 100644 --- a/Doc/library/stdtypes.rst +++ b/Doc/library/stdtypes.rst @@ -5523,7 +5523,7 @@ Verification: ... '571186405732').to_bytes(53, 'big') ... -.. versionadded:: 3.12 +.. versionadded:: 3.11 Affected APIs ------------- @@ -5578,7 +5578,7 @@ Information about the default and minimum can be found in :attr:`sys.int_info`: * :data:`sys.int_info.str_digits_check_threshold <sys.int_info>` is the lowest accepted value for the limit (other than 0 which disables it). -.. versionadded:: 3.12 +.. versionadded:: 3.11 .. caution:: diff --git a/Doc/library/sys.rst b/Doc/library/sys.rst index c6be12c..aab3f6a 100644 --- a/Doc/library/sys.rst +++ b/Doc/library/sys.rst @@ -544,7 +544,7 @@ always available. .. versionchanged:: 3.11 Added the ``safe_path`` attribute for :option:`-P` option. - .. versionchanged:: 3.12 + .. versionchanged:: 3.11 Added the ``int_max_str_digits`` attribute. @@ -732,7 +732,7 @@ always available. Returns the current value for the :ref:`integer string conversion length limitation <int_max_str_digits>`. See also :func:`set_int_max_str_digits`. - .. versionadded:: 3.12 + .. versionadded:: 3.11 .. function:: getrefcount(object) @@ -1029,7 +1029,7 @@ always available. .. versionadded:: 3.1 - .. versionchanged:: 3.12 + .. versionchanged:: 3.11 Added ``default_max_str_digits`` and ``str_digits_check_threshold``. @@ -1337,7 +1337,7 @@ always available. <int_max_str_digits>` used by this interpreter. See also :func:`get_int_max_str_digits`. - .. versionadded:: 3.12 + .. versionadded:: 3.11 .. function:: setprofile(profilefunc) diff --git a/Doc/library/test.rst b/Doc/library/test.rst index eff3751..53bcd7c 100644 --- a/Doc/library/test.rst +++ b/Doc/library/test.rst @@ -1018,7 +1018,7 @@ The :mod:`test.support` module defines the following functions: context to allow execution of test code that needs a different limit on the number of digits when converting between an integer and string. - .. versionadded:: 3.12 + .. versionadded:: 3.11 The :mod:`test.support` module defines the following classes: diff --git a/Doc/using/cmdline.rst b/Doc/using/cmdline.rst index 6a33d98..02c9f30 100644 --- a/Doc/using/cmdline.rst +++ b/Doc/using/cmdline.rst @@ -585,7 +585,7 @@ Miscellaneous options .. versionadded:: 3.11 The ``-X frozen_modules`` option. - .. versionadded:: 3.12 + .. versionadded:: 3.11 The ``-X int_max_str_digits`` option. .. versionadded:: 3.12 @@ -775,7 +775,7 @@ conflict. interpreter's global :ref:`integer string conversion length limitation <int_max_str_digits>`. - .. versionadded:: 3.12 + .. versionadded:: 3.11 .. envvar:: PYTHONIOENCODING diff --git a/Doc/whatsnew/3.12.rst b/Doc/whatsnew/3.12.rst index 3e21127..3fbc7b6 100644 --- a/Doc/whatsnew/3.12.rst +++ b/Doc/whatsnew/3.12.rst @@ -83,17 +83,6 @@ Other Language Changes mapping is hashable. (Contributed by Serhiy Storchaka in :gh:`87995`.) -* Converting between :class:`int` and :class:`str` in bases other than 2 - (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) - now raises a :exc:`ValueError` if the number of digits in string form is - above a limit to avoid potential denial of service attacks due to the - algorithmic complexity. This is a mitigation for `CVE-2020-10735 - <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. - This limit can be configured or disabled by environment variable, command - line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion - length limitation <int_max_str_digits>` documentation. The default limit - is 4300 digits in string form. - * :class:`memoryview` now supports the half-float type (the "e" format code). (Contributed by Dong-hee Na and Antoine Pitrou in :gh:`90751`.) diff --git a/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst b/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst deleted file mode 100644 index 8eb8a34..0000000 --- a/Misc/NEWS.d/next/Security/2022-08-07-16-53-38.gh-issue-95778.ch010gps.rst +++ /dev/null @@ -1,14 +0,0 @@ -Converting between :class:`int` and :class:`str` in bases other than 2 -(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now -raises a :exc:`ValueError` if the number of digits in string form is above a -limit to avoid potential denial of service attacks due to the algorithmic -complexity. This is a mitigation for `CVE-2020-10735 -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_. - -This new limit can be configured or disabled by environment variable, command -line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion length -limitation <int_max_str_digits>` documentation. The default limit is 4300 -digits in string form. - -Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback -from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson. |