Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds.
This PR comes fresh from a pile of work done in our private PSRT security response team repo.
This backports https://github.com/python/cpython/pull/96499 aka 511ca9452033ef95bc7d7fc404b8161068226002
Signed-off-by: Christian Heimes [Red Hat] <christian@python.org>
Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org>
Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).
<!-- gh-issue-number: gh-95778 -->
* Issue: gh-95778
<!-- /gh-issue-number -->
I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#).
When keyword argument name is an instance of a str subclass with
overloaded methods __eq__ and __hash__, the former code could not find
the name of an extraneous keyword argument to report an error, and
_PyArg_UnpackKeywords() returned success without setting the
corresponding cell in the linearized arguments array. But since the number
of expected initialized cells is determined as the total number of passed
arguments, this lead to reading NULL as a keyword parameter value, that
caused SystemError or crash or other undesired behavior..
(cherry picked from commit ebad53a4dc1bb591820724a22cef9b8459185b5f)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
It returned 1 (success) when warnings are turned into exceptions.
(cherry picked from commit 107c21c5d56682320b38c01b5575c1604a429239)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
It combines PyImport_ImportModule() and PyObject_GetAttrString()
and saves 4-6 lines of code on every use.
Add also _PyImport_GetModuleAttr() which takes Python strings as arguments.
(cherry picked from commit 6fd4c8ec7740523bb81191c013118d9d6959bc9d)
(cherry picked from commit d42b3689f4a14694f5b1ff75c155141102aa2557)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Fix __ltrace__ debug feature if the stdout encoding is not UTF-8.
If the stdout encoding is not UTF-8, the first call to
lltrace_resume_frame() indirectly sets lltrace to 0 when calling
unicode_check_encoding_errors() which calls
encodings.search_function().
Add test_lltrace.test_lltrace() test.
Also while there, clarify a few things about why we reduce the hash to 32 bits.
Co-authored-by: Eli Libman <eli@hyro.ai>
Co-authored-by: Yury Selivanov <yury@edgedb.com>
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
(cherry picked from commit c1f5c903a7e4ed27190488f4e33b00d3c3d952e5)
_Py_closerange() currently assumes that close_range() closes
all file descriptors even if it returns an error (other than ENOSYS).
This assumption can be wrong on Linux if a seccomp sandbox denies
the underlying syscall, pretending that it returns EPERM or EACCES.
In this case _Py_closerange() won't close any descriptors at all,
which in the worst case can be a security issue.
Fix this by falling back to other methods in case of any close_range()
error. Note that fallbacks will not be triggered on any problems with
closing individual file descriptors because close_range() is documented
to ignore such errors on both Linux[1] and FreeBSD[2].
[1] https://man7.org/linux/man-pages/man2/close_range.2.html
[2] https://www.freebsd.org/cgi/man.cgi?query=close_range&sektion=2
(cherry picked from commit 1c8b3b5d66a629258f1db16939b996264a8b9c37)
Co-authored-by: Alexey Izbyshev <izbyshev@ispras.ru>
When an exception is created in a nested call to PyObject_GetAttr, any
external calls will override the context information of the
AttributeError that we have already placed in the most internal call.
This will cause the suggestions we create to nor work properly as the
attribute name and object that we will be using are the incorrect ones.
To avoid this, we need to check first if these attributes are already
set and bail out if that's the case..
(cherry picked from commit 3b3be05a164da43f201e35b6dafbc840993a4d18)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
First introduced in 0332e569c12d3dc97171546c6dc10e42c27de34b
(cherry picked from commit 607d8a838f29ad3c4c4e85b39f338dade5f9cafe)
Co-authored-by: Yury Selivanov <yury@edgedb.com>
(cherry picked from commit 59435eea08d30796174552c0ca03c59b41adf8a5)
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
Co-authored-by: Pablo Galindo Salgado <Pablogsal@gmail.com>
* [3.10] bpo-46009: Do not exhaust generator when send() method raises (GH-29986).
(cherry picked from commit 69806b9516dbe092381f3ef884c7c64bb9b8414a)
Co-authored-by: Mark Shannon <mark@hotpy.org>
* Rename variable after cherry-pick.
* Add NULL check.
If the string is ASCII only and doesn't need to escape characters,
write the whole string with a single write() syscall.
(cherry picked from commit b919d8105c4d77f00509b6d3ab2073f09db640de)
Co-authored-by: Victor Stinner <vstinner@python.org>
Unlike the other locks reinitialized by _PyRuntimeState_ReInitThreads,
the "interpreters.main->id_mutex" is not freed by _PyRuntimeState_Fini
and should not force the default raw allocator.
(cherry picked from commit 736684b1bb67369a2e95a9f621752deead44e7ef)
Co-authored-by: Sam Gross <colesbury@gmail.com>
On Unix, if the sem_clockwait() function is available in the C
library (glibc 2.30 and newer), the threading.Lock.acquire() method
now uses the monotonic clock (time.CLOCK_MONOTONIC) for the timeout,
rather than using the system clock (time.CLOCK_REALTIME), to not be
affected by system clock changes.
configure now checks if the sem_clockwait() function is available.
This can occur when the zip file gets deleted, you call zipimport.zipimporter.invalidate_cache(), and then try to use zipimport.zipimporter.find_spec() (i.e. you left the zip file path on sys.path).
(cherry picked from commit 209b7035f714dcc41df054b0b023e0b955d7e1a2)
Co-authored-by: Brett Cannon <brett@python.org>
Release the GIL while performing isatty() system calls on arbitrary
file descriptors. In particular, this affects os.isatty(),
os.device_encoding() and io.TextIOWrapper. By extension,
io.open() in text mode is also affected.
(cherry picked from commit 06148b1870fceb1a21738761b8e1ac3bf654319b)
Co-authored-by: Vincent Michel <vxgmichel@gmail.com>
Co-authored-by: Erlend Egeberg Aasland <erlend.aasland@innova.no>
(cherry picked from commit b4b6342848ec0459182a992151099252434cc619)
Co-authored-by: Irit Katriel <1055913+iritkatriel@users.noreply.github.com>
* Use a private version of _PyType_GetQualName
Co-authored-by: Łukasz Langa <lukasz@langa.pl>
Fix PyAiter_Check to only check for the `__anext__` presense (not for
`__aiter__`). Rename `PyAiter_Check()` to `PyAIter_Check()`,
`PyObject_GetAiter()` -> `PyObject_GetAIter()`.
