diff options
Diffstat (limited to 'Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 14 |
1 files changed, 0 insertions, 14 deletions
diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst deleted file mode 100644 index 0d649dc..0000000 --- a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst +++ /dev/null @@ -1,14 +0,0 @@ -The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` -related name resolution functions no longer involves a quadratic algorithm. -This prevents a potential CPU denial of service if an out-of-spec excessive -length hostname involving bidirectional characters were decoded. Some protocols -such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker -to supply such a name. - -Individual labels within an IDNA encoded DNS name will now raise an error early -during IDNA decoding if they are longer than 1024 unicode characters given that -each decoded DNS label must be 63 or fewer characters and the entire decoded -DNS name is limited to 255. Only an application presenting a hostname or label -consisting primarily of :rfc:`3454` section 3.1 "Nothing" characters to be -removed would run into of this new limit. See also :rfc:`5894` section 6 and -:rfc:`3491`. |