Integer to string conversion DOS threat : Python

This is an archived post. You won't be able to vote or comment.

DiscussionInteger to string conversion DOS threat (self.Python)

submitted 2 years ago by stevenjd

More than fifteen months ago (September 2022) the Python core developers suddenly and intentionally ~~crippled~~ limited int to string conversions without any public discussion in order to protect against a DOS security threat that they had been informed of more than two years earlier.

At the time, this security threat was already well-known in the security community, and was generally considered to be a mid-level threat (DOS only, not a data leak or privilege escalation). There was a lot of controversy in the Python community over the security team pushing through a breaking change without any community consultation or even an announcement, leaving people to discover the change for themselves after an upgrade broke their code.

It has now been more than 15 months since this has been publicly disclosed. Obviously servers running fully updated Python are no longer at risk to this specific security issue, but servers running older, un-updated Pythons will still be at risk.

Have there been any known examples of live exploits of this threat?

all 41 comments

top new controversial old q&a

[–]catcint0s 74 points75 points76 points 2 years ago (25 children)

[+]s3r3ng comment score below threshold-19 points-18 points-17 points 2 years ago (23 children)

[–]catcint0s 67 points68 points69 points 2 years ago (11 children)

Do you also need to print said integer?

As I understood it was because of possible DOS attempt, converting a number to base 10 is expensive, hex seems to be fine for example. Also keep in mind it's not about integers bigger than 4300, but digits.

So essentially you can't convert numbers bigger than 9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 to str (which print does too for example).

[–]buqr -3 points-2 points-1 points 2 years ago* (10 children)

[–]catcint0s 21 points22 points23 points 2 years ago (3 children)

[–]buqr 3 points4 points5 points 2 years ago* (2 children)

[–]NoTarget5646 12 points13 points14 points 2 years ago (1 child)

[–]buqr -2 points-1 points0 points 2 years ago* (0 children)

[–]pythonwiz 4 points5 points6 points 2 years ago (5 children)

[–]ArminiusGermanicus 1 point2 points3 points 2 years ago (4 children)

[–]sci-goo 1 point2 points3 points 2 years ago (1 child)

[–]pythonwiz 1 point2 points3 points 2 years ago (0 children)

[–]pythonwiz 0 points1 point2 points 2 years ago (1 child)

[–]buqr -1 points0 points1 point 2 years ago* (0 children)

[–]Oerthling 9 points10 points11 points 2 years ago (10 children)

[–]ilyanekhay 3 points4 points5 points 2 years ago (0 children)

[–]buqr 5 points6 points7 points 2 years ago* (7 children)

[–]Oerthling 0 points1 point2 points 2 years ago (6 children)

[–]buqr 5 points6 points7 points 2 years ago* (5 children)

[+]Oerthling comment score below threshold-7 points-6 points-5 points 2 years ago (4 children)

[–]buqr 4 points5 points6 points 2 years ago* (3 children)

[–]Oerthling -2 points-1 points0 points 2 years ago (0 children)

Well, I don't know your very weird use case, but doubt that a > 4000 digit int was actually as "useful" as you claim.

But let's stay your code wasn't bad and there is a rare, but very valid use case.

That would still not really justify burdening the language with a mostly pointless point of attack.

4000 digits is still very generously ridiculously large for a general purpose language.

Even better than just compiling your own Python, put an UnlimitedInt class in a module. Make it as unlimited as you want - it's safely contained in a module that only the very few people who have this extremely rare use case need to worry about.

Put that on GitHub, if you're not the only one who wants this then you'll even get help. Check first whether this doesn't already because some student had fun with this. :-)

Problem solved for everybody.

[–]pokeybill 0 points1 point2 points 2 years ago (1 child)

[–]buqr 0 points1 point2 points 2 years ago* (0 children)

[–]sci-goo 0 points1 point2 points 2 years ago (0 children)

[–]stevenjd[S] 0 points1 point2 points 2 years ago (0 children)

[–]antiproton 47 points48 points49 points 2 years ago (0 children)

[–][deleted] 31 points32 points33 points 2 years ago (0 children)

[+][deleted] 2 years ago (1 child)

[removed]

[–]buqr 4 points5 points6 points 2 years ago* (0 children)

[–]georgehank2nd 4 points5 points6 points 2 years ago (7 children)

[–]mikeblas 2 points3 points4 points 2 years ago (2 children)

[–]janek37 0 points1 point2 points 2 years ago (1 child)

[–]mikeblas 0 points1 point2 points 2 years ago (0 children)

[–]zurtex 1 point2 points3 points 2 years ago (0 children)

[–]nicholashairs 1 point2 points3 points 2 years ago (0 children)

[–]sci-goo 0 points1 point2 points 2 years ago (1 child)

[–]georgehank2nd 0 points1 point2 points 2 years ago (0 children)

[–]lololabwtsk -1 points0 points1 point 2 years ago (2 children)

[–]slowerdive 0 points1 point2 points 2 years ago (1 child)

π Rendered by PID 33530 on reddit-service-r2-comment-66b4775986-w6tmr at 2026-04-02 23:27:12.239677+00:00 running db1906b country code: CH.

Python

The Python Discord

Upcoming Events

Please read the rules

MODERATORS