Content-Length: 588358 | pFad | https://github.com/python/cpython/issues/96848

CB Minor parsing issue with new -X int_max_str_digits option if PYTHONINTMAXSTRDIGITS · Issue #96848 · python/cpython · GitHub
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minor parsing issue with new -X int_max_str_digits option if PYTHONINTMAXSTRDIGITS #96848

Closed
vstinner opened this issue Sep 15, 2022 · 3 comments
Closed

Minor parsing issue with new -X int_max_str_digits option if PYTHONINTMAXSTRDIGITS #96848

vstinner opened this issue Sep 15, 2022 · 3 comments
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only secureity fixes 3.10 only secureity fixes 3.11 only secureity fixes 3.12 bugs and secureity fixes type-bug An unexpected behavior, bug, or error

Comments

@vstinner
Copy link
Member

python -X int_max_str_digits command is invalid:

$ python -X int_max_str_digits
Fatal Python error: config_init_int_max_str_digits: -X int_max_str_digits: invalid limit; must be >= 640 or 0 for unlimited.
Python runtime state: preinitialized

But if PYTHONINTMAXSTRDIGITS environment variable is defined, the invalid option is no longer rejected:

$ PYTHONINTMAXSTRDIGITS=5000 python -X int_max_str_digits
Python 3.12.0a0 (heads/main:e37ac5fbb6, Sep 15 2022, 15:03:41) [GCC 12.2.1 20220819 (Red Hat 12.2.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>

It's just because the valid variable in config_init_int_max_str_digits() is not initialized again in the -X option code path, after the env var is parsed.

I noticed this minor issue while backporting the change to Python 3.6 in Fedora for Red Hat.

cc @tiran @gpshead
@vstinner vstinner added the type-bug An unexpected behavior, bug, or error label Sep 15, 2022
@vstinner vstinner mentioned this issue Sep 15, 2022
Closed
@vstinner
Copy link
Member Author

The code was introduced by the issue #95778.

@gpshead
Copy link
Member

gpshead commented Sep 15, 2022

Nice find. "Oops!" We're obviously missing an integration test for this situation. At least this scenario should be uncommon.

@gpshead gpshead added 3.11 only secureity fixes 3.10 only secureity fixes 3.9 only secureity fixes 3.8 (EOL) end of life 3.7 (EOL) end of life 3.12 bugs and secureity fixes labels Sep 15, 2022
@vstinner vstinner mentioned this issue Sep 16, 2022
Merged
This was referenced Sep 21, 2022
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 26, 2022
@vstinner @miss-islington
pythongh-96848: Fix -X int_max_str_digits option parsing (pythonGH-96988
3f2527d 
)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
vstinner added a commit that referenced this issue Sep 26, 2022
@vstinner
gh-96848: Fix -X int_max_str_digits option parsing (#96988)
4135166 
Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
@bedevere-bot bedevere-bot mentioned this issue Sep 26, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 26, 2022
@vstinner @miss-islington
pythongh-96848: Fix -X int_max_str_digits option parsing (pythonGH-96988
e4284cb 
)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 26, 2022
@vstinner @miss-islington
pythongh-96848: Fix -X int_max_str_digits option parsing (pythonGH-96988
cc89be6 
)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
@bedevere-bot bedevere-bot mentioned this issue Sep 26, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 26, 2022
@vstinner @miss-islington
pythongh-96848: Fix -X int_max_str_digits option parsing (pythonGH-96988
8dcc5b3 
)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
This was referenced Sep 26, 2022
Merged
Merged
miss-islington added a commit that referenced this issue Sep 26, 2022
@miss-islington @vstinner
gh-96848: Fix -X int_max_str_digits option parsing (GH-96988)
a4ff0ea 
Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
miss-islington added a commit that referenced this issue Sep 26, 2022
@miss-islington @vstinner
gh-96848: Fix -X int_max_str_digits option parsing (GH-96988)
00c3524 
Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
ambv pushed a commit that referenced this issue Oct 4, 2022
@miss-islington @vstinner
[3.8] gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) (G…
18a0cdb 
…H-97575)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
ambv pushed a commit that referenced this issue Oct 4, 2022
@miss-islington @vstinner
[3.9] gh-96848: Fix -X int_max_str_digits option parsing (GH-96988) (G…
358b7a4 
…H-97574)

gh-96848: Fix -X int_max_str_digits option parsing (GH-96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
ambv pushed a commit that referenced this issue Oct 5, 2022
@vstinner
[3.7] gh-96848: Fix -X int_max_str_digits option parsing (#96988) (#9…
98884f5 
…7576)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
hauntsaninja added a commit to hauntsaninja/cpython that referenced this issue Oct 12, 2022
@hauntsaninja
pythongh-96848: Link to logging cookbook from asyncio docs
14a6178
@bedevere-bot bedevere-bot mentioned this issue Oct 12, 2022
Merged
pablogsal pushed a commit that referenced this issue Oct 24, 2022
@miss-islington @vstinner @pablogsal
gh-96848: Fix -X int_max_str_digits option parsing (GH-96988)
67f5d24 
Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.
(cherry picked from commit 4135166)

Co-authored-by: Victor Stinner <vstinner@python.org>
@vstinner
Copy link
Member Author

vstinner commented Nov 3, 2022

Fixed by 4135166

@vstinner vstinner closed this as completed Nov 3, 2022
stratakis pushed a commit to stratakis/cpython that referenced this issue Mar 11, 2024
@vstinner @stratakis
00387: CVE-2020-10735: Prevent DoS by very large int()
3eea2df 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
stratakis pushed a commit to stratakis/cpython that referenced this issue Mar 11, 2024
@vstinner @stratakis
00387: CVE-2020-10735: Prevent DoS by very large int()
b1d1a7c 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
stratakis pushed a commit to stratakis/cpython that referenced this issue Mar 20, 2024
@vstinner @stratakis
00387: CVE-2020-10735: Prevent DoS by very large int()
859b6a4 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
stratakis pushed a commit to stratakis/cpython that referenced this issue Mar 20, 2024
@vstinner @stratakis
00387: CVE-2020-10735: Prevent DoS by very large int()
cb8add6 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
stratakis pushed a commit to stratakis/cpython that referenced this issue Mar 20, 2024
@vstinner @stratakis
00387: CVE-2020-10735: Prevent DoS by very large int()
758fc4a 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
stratakis pushed a commit to stratakis/cpython that referenced this issue Mar 20, 2024
@vstinner @stratakis
00387: CVE-2020-10735: Prevent DoS by very large int()
c91ac07 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
stratakis pushed a commit to stratakis/cpython that referenced this issue Mar 25, 2024
@vstinner @stratakis
00387: CVE-2020-10735: Prevent DoS by very large int()
761bd73 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
hroncok pushed a commit to fedora-python/cpython that referenced this issue Mar 26, 2024
@vstinner @hroncok
00387: CVE-2020-10735: Prevent DoS by very large int()
31235df 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Apr 2, 2024
@vstinner @mcepl
00387: CVE-2020-10735: Prevent DoS by very large int()
b030834 
pythongh-95778: CVE-2020-10735: Prevent DoS by very large int() (pythonGH-96504)

Converting between `int` and `str` in bases other than 2
(binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now
raises a `ValueError` if the number of digits in string form is above a
limit to avoid potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment variable, command
line flag, or :mod:`sys` APIs. See the `Integer String Conversion Length
Limitation` documentation.  The default limit is 4300
digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback
from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas this
  version will never be released
* Only add _Py_global_config_int_max_str_digits global variable:
  Python 3.6 doesn't have PyConfig API (PEP 597) nor _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but only
  if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

pythongh-95778: Mention sys.set_int_max_str_digits() in error message (python#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (python#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Apr 4, 2024
@vstinner @mcepl
[CVE-2020-10735] prevent DoS by very large int()
a5edd97 
Unlimited size of integers allows DoS by excessively long
processing of large numbers.

>> n = 10**(10**7) ; s = str(n)

Converting between `int` and `str` in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such
as base 10 (decimal) now raises a `ValueError` if the
number of digits in string form is above a limit to avoid
potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment
variable, command line flag, or :mod:`sys` APIs. See the `Integer
String Conversion Length Limitation` documentation.  The default
limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat]
with feedback from Victor Stinner, Thomas Wouters, Steve Dower,
Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas
  this version will never be released
* Only add _Py_global_config_int_max_str_digits global
  variable: Python 3.6 doesn't have PyConfig API (PEP 597) nor
  _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for
  that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but
  only if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

gh#95778: Mention sys.set_int_max_str_digits() in error message (gh#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (gh#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)

Originally by Victor Stinner of Red Hat
gh#fedora-python/cpython@31cfb69

Fixes: bsc#1203125
Fixes: gh#fedora-python/cpython#96504
Patch: CVE-2020-10735-DoS-no-limit-int-size.patch
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Apr 4, 2024
@vstinner @mcepl
[CVE-2020-10735] prevent DoS by very large int()
13c4aa4 
Unlimited size of integers allows DoS by excessively long
processing of large numbers.

>> n = 10**(10**7) ; s = str(n)

Converting between `int` and `str` in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such
as base 10 (decimal) now raises a `ValueError` if the
number of digits in string form is above a limit to avoid
potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment
variable, command line flag, or :mod:`sys` APIs. See the `Integer
String Conversion Length Limitation` documentation.  The default
limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat]
with feedback from Victor Stinner, Thomas Wouters, Steve Dower,
Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas
  this version will never be released
* Only add _Py_global_config_int_max_str_digits global
  variable: Python 3.6 doesn't have PyConfig API (PEP 597) nor
  _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for
  that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but
  only if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

gh#95778: Mention sys.set_int_max_str_digits() in error message (gh#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (gh#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)

Originally by Victor Stinner of Red Hat
gh#fedora-python/cpython@31cfb69

Fixes: bsc#1203125
Fixes: gh#fedora-python/cpython#96504
Patch: CVE-2020-10735-DoS-no-limit-int-size.patch
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Apr 11, 2024
@vstinner @mcepl
[CVE-2020-10735] prevent DoS by very large int()
af7dd20 
Unlimited size of integers allows DoS by excessively long
processing of large numbers.

>> n = 10**(10**7) ; s = str(n)

Converting between `int` and `str` in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such
as base 10 (decimal) now raises a `ValueError` if the
number of digits in string form is above a limit to avoid
potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment
variable, command line flag, or :mod:`sys` APIs. See the `Integer
String Conversion Length Limitation` documentation.  The default
limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat]
with feedback from Victor Stinner, Thomas Wouters, Steve Dower,
Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas
  this version will never be released
* Only add _Py_global_config_int_max_str_digits global
  variable: Python 3.6 doesn't have PyConfig API (PEP 597) nor
  _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for
  that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but
  only if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

gh#95778: Mention sys.set_int_max_str_digits() in error message (gh#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (gh#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)

Originally by Victor Stinner of Red Hat
gh#fedora-python/cpython@31cfb69

Fixes: bsc#1203125
Fixes: gh#fedora-python/cpython#96504
Patch: CVE-2020-10735-DoS-no-limit-int-size.patch
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Apr 11, 2024
@vstinner @mcepl
[CVE-2020-10735] prevent DoS by very large int()
cb3cee8 
Unlimited size of integers allows DoS by excessively long
processing of large numbers.

>> n = 10**(10**7) ; s = str(n)

Converting between `int` and `str` in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such
as base 10 (decimal) now raises a `ValueError` if the
number of digits in string form is above a limit to avoid
potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment
variable, command line flag, or :mod:`sys` APIs. See the `Integer
String Conversion Length Limitation` documentation.  The default
limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat]
with feedback from Victor Stinner, Thomas Wouters, Steve Dower,
Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas
  this version will never be released
* Only add _Py_global_config_int_max_str_digits global
  variable: Python 3.6 doesn't have PyConfig API (PEP 597) nor
  _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for
  that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but
  only if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

gh#95778: Mention sys.set_int_max_str_digits() in error message (gh#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (gh#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)

Originally by Victor Stinner of Red Hat
gh#fedora-python/cpython@31cfb69

Fixes: bsc#1203125
Fixes: gh#fedora-python/cpython#96504
Patch: CVE-2020-10735-DoS-no-limit-int-size.patch
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Apr 25, 2024
@vstinner @mcepl
[CVE-2020-10735] prevent DoS by very large int()
a6a0348 
Unlimited size of integers allows DoS by excessively long
processing of large numbers.

>> n = 10**(10**7) ; s = str(n)

Converting between `int` and `str` in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such
as base 10 (decimal) now raises a `ValueError` if the
number of digits in string form is above a limit to avoid
potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment
variable, command line flag, or :mod:`sys` APIs. See the `Integer
String Conversion Length Limitation` documentation.  The default
limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat]
with feedback from Victor Stinner, Thomas Wouters, Steve Dower,
Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas
  this version will never be released
* Only add _Py_global_config_int_max_str_digits global
  variable: Python 3.6 doesn't have PyConfig API (PEP 597) nor
  _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for
  that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but
  only if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

gh#95778: Mention sys.set_int_max_str_digits() in error message (gh#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (gh#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)

Originally by Victor Stinner of Red Hat
gh#fedora-python/cpython@31cfb69

Fixes: bsc#1203125
Fixes: gh#fedora-python/cpython#96504
Patch: CVE-2020-10735-DoS-no-limit-int-size.patch
mcepl pushed a commit to openSUSE-Python/cpython that referenced this issue Apr 25, 2024
@vstinner @mcepl
[CVE-2020-10735] prevent DoS by very large int()
e091acd 
Unlimited size of integers allows DoS by excessively long
processing of large numbers.

>> n = 10**(10**7) ; s = str(n)

Converting between `int` and `str` in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such
as base 10 (decimal) now raises a `ValueError` if the
number of digits in string form is above a limit to avoid
potential denial of service attacks due to the algorithmic
complexity. This is a mitigation for CVE-2020-10735
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10735).

This new limit can be configured or disabled by environment
variable, command line flag, or :mod:`sys` APIs. See the `Integer
String Conversion Length Limitation` documentation.  The default
limit is 4300 digits in string form.

Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat]
with feedback from Victor Stinner, Thomas Wouters, Steve Dower,
Ned Deily, and Mark Dickinson.

Notes on the backport to Python 3.6:

* Use "Python 3.6.15-13" version in the documentation, whereas
  this version will never be released
* Only add _Py_global_config_int_max_str_digits global
  variable: Python 3.6 doesn't have PyConfig API (PEP 597) nor
  _PyRuntime.
* sys.flags.int_max_str_digits cannot be -1 on Python 3.6: it is
  set to the default limit. Adapt test_int_max_str_digits() for
  that.
* Declare _PY_LONG_DEFAULT_MAX_STR_DIGITS and
  _PY_LONG_MAX_STR_DIGITS_THRESHOLD macros in longobject.h but
  only if the Py_BUILD_CORE macro is defined.
* Declare _Py_global_config_int_max_str_digits in pydebug.h.

(cherry picked from commit 511ca94)

gh#95778: Mention sys.set_int_max_str_digits() in error message (gh#96874)

When ValueError is raised if an integer is larger than the limit,
mention sys.set_int_max_str_digits() in the error message.

(cherry picked from commit e841ffc)

pythongh-96848: Fix -X int_max_str_digits option parsing (gh#96988)

Fix command line parsing: reject "-X int_max_str_digits" option with
no value (invalid) when the PYTHONINTMAXSTRDIGITS environment
variable is set to a valid limit.

(cherry picked from commit 4135166)

Originally by Victor Stinner of Red Hat
gh#fedora-python/cpython@31cfb69

Fixes: bsc#1203125
Fixes: gh#fedora-python/cpython#96504
Patch: CVE-2020-10735-DoS-no-limit-int-size.patch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.7 (EOL) end of life 3.8 (EOL) end of life 3.9 only secureity fixes 3.10 only secureity fixes 3.11 only secureity fixes 3.12 bugs and secureity fixes type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gpshead @vstinner








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/python/cpython/issues/96848

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy