Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

CVE-2020-10735: Prevent DoS by large int<->str conversions #95778

New issue
Copy link
New issue
Copy link
Closed
#100627
#98344
Closed
CVE-2020-10735: Prevent DoS by large int<->str conversions#95778
#100627
#98344
Copy link
Assignees
gpsheadtiran
Labels
3.10only security fixesonly security fixes3.11only security fixesonly security fixes3.12only security fixesonly security fixes3.7 (EOL)end of lifeend of life3.8 (EOL)end of lifeend of life3.9only security fixesonly security fixestype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-featureA feature request or enhancementA feature request or enhancementtype-securityA security issueA security issue
@gpshead

Description

@gpshead
gpshead
opened on Aug 8, 2022
Issue body actions

Problem

A Denial Of Service (DoS) issue was identified in CPython because we use binary bignum’s for our int implementation. A huge integer will always consume a near-quadratic amount of CPU time in conversion to or from a base 10 (decimal) string with a large number of digits. No efficient algorithm exists to do otherwise.

It is quite common for Python code implementing network protocols and data serialization to do int(untrusted_string_or_bytes_value) on input to get a numeric value, without having limited the input length or to do log("processing thing id %s", unknowingly_huge_integer) or any similar concept to convert an int to a string without first checking its magnitude. (http, json, xmlrpc, logging, loading large values into integer via linear-time conversions such as hexadecimal stored in yaml, or anything computing larger values based on user controlled inputs… which then wind up attempting to output as decimal later on). All of these can suffer a CPU consuming DoS in the face of untrusted data.

Everyone auditing all existing code for this, adding length guards, and maintaining that practice everywhere is not feasible nor is it what we deem the vast majority of our users want to do.

This issue has been reported to the Python Security Response Team multiple times by a few different people since early 2020, most recently a few weeks ago while I was in the middle of polishing up the PR so it’d be ready before 3.11.0rc2.

Mitigation

After discussion on the Python Security Response Team mailing list the conclusion was that we needed to limit the size of integer to string conversions for non-linear time conversions (anything not a power-of-2 base) by default. And offer the ability to configure or disable this limit.

The Python Steering Council is aware of this change and accepts it as necessary.

Linked PRs

Metadata

Metadata

Assignees

Labels

3.10only security fixesonly security fixes3.11only security fixesonly security fixes3.12only security fixesonly security fixes3.7 (EOL)end of lifeend of life3.8 (EOL)end of lifeend of life3.9only security fixesonly security fixestype-bugAn unexpected behavior, bug, or errorAn unexpected behavior, bug, or errortype-featureA feature request or enhancementA feature request or enhancementtype-securityA security issueA security issue

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    Morty Proxy This is a proxified and sanitized view of the page, visit original site.