gh-95778: CVE-2020-10735: Prevent DoS by very large int() (#96499)

gpshead · web-flow · commit 7c93b7c94a65 · 2022-09-02T09:35:08.000-07:00
Integer to and from text conversions via CPython's bignum `int` type is not safe against denial of service attacks due to malicious input. Very large input strings with hundred thousands of digits can consume several CPU seconds. This PR comes fresh from a pile of work done in our private PSRT security response team repo. Signed-off-by: Christian Heimes [Red Hat] <christian@python.org> Tons-of-polishing-up-by: Gregory P. Smith [Google] <greg@krypto.org> Reviews via the private PSRT repo via many others (see the NEWS entry in the PR).  * Issue: gh-95778  I wrote up [a one pager for the release managers](https://docs.google.com/document/d/1KjuF_aXlzPUxTK4BMgezGJ2Pn7uevfX7g0_mvgHlL7Y/edit#). Much of that text wound up in the Issue. Backports PRs already exist. See the issue for links.
diff --git a/idlelib/idle_test/test_sidebar.py b/idlelib/idle_test/test_sidebar.py
@@ -6,6 +6,7 @@
 import unittest
 import unittest.mock
 from test.support import requires, swap_attr
+from test import support
 import tkinter as tk
 from idlelib.idle_test.tkinter_testing_utils import run_in_tk_mainloop
 
@@ -612,7 +613,8 @@ def test_interrupt_recall_undo_redo(self):
 
     @run_in_tk_mainloop()
     def test_very_long_wrapped_line(self):
-        with swap_attr(self.shell, 'squeezer', None):
+        with support.adjust_int_max_str_digits(11_111), \
+                swap_attr(self.shell, 'squeezer', None):
             self.do_input('x = ' + '1'*10_000 + '\n')
             yield
             self.assertEqual(self.get_sidebar_lines(), ['>>>'])
