more RFC links and explanation.

gpshead · gpshead · commit bd51456952de · 2022-11-04T20:26:02.000Z
diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py
@@ -101,14 +101,15 @@ def ToASCII(label):
     raise UnicodeError("label empty or too long")
 
 def ToUnicode(label):
-    if len(label) > 1000:
+    if len(label) > 1024:
         # Protection from https://github.com/python/cpython/issues/98433.
         # https://datatracker.ietf.org/doc/html/rfc5894#section-6
         # doesn't specify a label size limit prior to NAMEPREP. But having
         # one makes practical sense.
         # This leaves ample room for nameprep() to remove Nothing characters
-        # while still preventing us from wasting CPU decoding a big thing
-        # that'll just hit the actual <= 63 length limit in Step 6.
+        # per https://www.rfc-editor.org/rfc/rfc3454#section-3.1 while still
+        # preventing us from wasting time decoding a big thing that'll just
+        # hit the actual <= 63 length limit in Step 6.
         raise UnicodeError("label way too long")
     # Step 1: Check for ASCII
     if isinstance(label, bytes):
diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py
@@ -1554,7 +1554,7 @@ def test_builtin_encode(self):
 
     def test_builtin_decode_length_limit(self):
         with self.assertRaises(UnicodeError) as ctx:
-            (b"xn--016c"+b"a"*1010).decode("idna")
+            (b"xn--016c"+b"a"*1100).decode("idna")
         self.assertIn("way too long", str(ctx.exception))
         with self.assertRaises(UnicodeError) as ctx:
             (b"xn--016c"+b"a"*70).decode("idna")
diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst
@@ -6,8 +6,9 @@ such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker
 to supply such a name.
 
 Individual labels within an IDNA encoded DNS name will now raise an error early
-during IDNA decoding if they are longer than 1000 encoded characters given that
-each decoded DNS label must be 63 or fewer characters. Only an application
-presenting a suspicious hostname value consisting primarily of "Nothing"
-characters to be removed would run into of this new limit. See :rfc:`5894`
-section 6 and :rfc:`3491`.
+during IDNA decoding if they are longer than 1024 unicode characters given that
+each decoded DNS label must be 63 or fewer characters and the entire decoded
+DNS name is limited to 255. Only an application presenting a hostname or label
+consisting primarily of :rfc:`3454` section 3.1 "Nothing" characters to be
+removed would run into of this new limit. See also :rfc:`5894` section 6 and
+:rfc:`3491`.
