Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

new interpreter argument:

    -X int_max_str_digits=number
       limit the size of int<->str conversions.
       This helps avoid denial of service attacks when parsing untrusted data.
       The default is sys.int_info.default_max_str_digits.  0 disables.
this should not be a runtime configuration setting, fix the sodding algorithm to not be quadratic

will we be getting PHP style magic quotes soon? that also protects developers against untrusted input (bonus! this could be configured too!)

or an inability to pass strings into the regular expression module? that can also cause DoS

(what happened to Python?)



My understanding is that there is no algorithm for this that isn't quadratic.

Update: I may have understood incorrectly, see https://github.com/python/cpython/issues/90716


> My understanding is that there is no algorithm for this that isn't quadratic.

> If you know of one, the Python core development team would love to hear about it!

it's mentioned on the issue page that makes up the article...

(before they closed it due to the "code of conduct")




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: