[Python-checkins] gh-95913: Forward-port int/str security change to 3.11 What's New in main (#98344)
gpshead
webhook-mailer at python.org
Sun Oct 16 21:43:32 EDT 2022
https://github.com/python/cpython/commit/bb38b39b339191c5fc001c8fbfbc3037c13bc7bb
commit: bb38b39b339191c5fc001c8fbfbc3037c13bc7bb
branch: main
author: C.A.M. Gerlach <CAM.Gerlach at Gerlach.CAM>
committer: gpshead <greg at krypto.org>
date: 2022-10-16T18:43:13-07:00
summary:
gh-95913: Forward-port int/str security change to 3.11 What's New in main (#98344)
Add int/str security change from issue gh-95778 PRs gh-96499 / gh-95800
Co-authored-by: Gregory P. Smith <greg at krypto.org> [Google]
files:
M Doc/whatsnew/3.11.rst
diff --git a/Doc/whatsnew/3.11.rst b/Doc/whatsnew/3.11.rst
index 56a35f4e4802..73e23a1a9e7f 100644
--- a/Doc/whatsnew/3.11.rst
+++ b/Doc/whatsnew/3.11.rst
@@ -530,6 +530,17 @@ Other CPython Implementation Changes
and with the new :option:`--help-all`.
(Contributed by Éric Araujo in :issue:`46142`.)
+* Converting between :class:`int` and :class:`str` in bases other than 2
+ (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal)
+ now raises a :exc:`ValueError` if the number of digits in string form is
+ above a limit to avoid potential denial of service attacks due to the
+ algorithmic complexity. This is a mitigation for `CVE-2020-10735
+ <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735>`_.
+ This limit can be configured or disabled by environment variable, command
+ line flag, or :mod:`sys` APIs. See the :ref:`integer string conversion
+ length limitation <int_max_str_digits>` documentation. The default limit
+ is 4300 digits in string form.
+
.. _whatsnew311-new-modules:
More information about the Python-checkins
mailing list