summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2014-09-30 12:18:02 (GMT)
committerGeorg Brandl <georg@python.org>2014-09-30 12:18:02 (GMT)
commit210ee47e3340d8e689d8cce584e7c918d368f16b (patch)
tree526fb45a80d57de0b30729fab1a97802caa36ac3
parent70088f14ad33e9f6e1734513594f83d42880e885 (diff)
downloadcpython-210ee47e3340d8e689d8cce584e7c918d368f16b.zip
cpython-210ee47e3340d8e689d8cce584e7c918d368f16b.tar.gz
cpython-210ee47e3340d8e689d8cce584e7c918d368f16b.tar.bz2
Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
limiting the call to readline(). Original patch by Christian Heimes.
-rw-r--r--Lib/smtplib.py5
-rw-r--r--Lib/test/mock_socket.py9
-rw-r--r--Lib/test/test_smtplib.py30
-rw-r--r--Misc/NEWS3
4 files changed, 43 insertions, 4 deletions
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
index 679e478..b03533e 100644
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -62,6 +62,7 @@ SMTP_PORT = 25
SMTP_SSL_PORT = 465
CRLF = "\r\n"
bCRLF = b"\r\n"
+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
@@ -363,7 +364,7 @@ class SMTP:
self.file = self.sock.makefile('rb')
while 1:
try:
- line = self.file.readline()
+ line = self.file.readline(_MAXLINE + 1)
except socket.error as e:
self.close()
raise SMTPServerDisconnected("Connection unexpectedly closed: "
@@ -373,6 +374,8 @@ class SMTP:
raise SMTPServerDisconnected("Connection unexpectedly closed")
if self.debuglevel > 0:
print('reply:', repr(line), file=stderr)
+ if len(line) > _MAXLINE:
+ raise SMTPResponseException(500, "Line too long.")
resp.append(line[4:].strip(b' \t\r\n'))
code = line[:3]
# Check that the error code is syntactically correct.
diff --git a/Lib/test/mock_socket.py b/Lib/test/mock_socket.py
index 8036932..7e748b5 100644
--- a/Lib/test/mock_socket.py
+++ b/Lib/test/mock_socket.py
@@ -21,8 +21,13 @@ class MockFile:
"""
def __init__(self, lines):
self.lines = lines
- def readline(self):
- return self.lines.pop(0) + b'\r\n'
+ def readline(self, limit=-1):
+ result = self.lines.pop(0) + b'\r\n'
+ if limit >= 0:
+ # Re-insert the line, removing the \r\n we added.
+ self.lines.insert(0, result[limit:-2])
+ result = result[:limit]
+ return result
def close(self):
pass
diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py
index ec971ea..7799580 100644
--- a/Lib/test/test_smtplib.py
+++ b/Lib/test/test_smtplib.py
@@ -537,6 +537,33 @@ class BadHELOServerTests(unittest.TestCase):
HOST, self.port, 'localhost', 3)
+@unittest.skipUnless(threading, 'Threading required for this test.')
+class TooLongLineTests(unittest.TestCase):
+ respdata = b'250 OK' + (b'.' * smtplib._MAXLINE * 2) + b'\n'
+
+ def setUp(self):
+ self.old_stdout = sys.stdout
+ self.output = io.StringIO()
+ sys.stdout = self.output
+
+ self.evt = threading.Event()
+ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ self.sock.settimeout(15)
+ self.port = support.bind_port(self.sock)
+ servargs = (self.evt, self.respdata, self.sock)
+ threading.Thread(target=server, args=servargs).start()
+ self.evt.wait()
+ self.evt.clear()
+
+ def tearDown(self):
+ self.evt.wait()
+ sys.stdout = self.old_stdout
+
+ def testLineTooLong(self):
+ self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
+ HOST, self.port, 'localhost', 3)
+
+
sim_users = {'Mr.A@somewhere.com':'John A',
'Ms.B@xn--fo-fka.com':'Sally B',
'Mrs.C@somewhereesle.com':'Ruth C',
@@ -826,7 +853,8 @@ class SMTPSimTests(unittest.TestCase):
def test_main(verbose=None):
support.run_unittest(GeneralTests, DebuggingServerTests,
NonConnectingTests,
- BadHELOServerTests, SMTPSimTests)
+ BadHELOServerTests, SMTPSimTests,
+ TooLongLineTests)
if __name__ == '__main__':
test_main()
diff --git a/Misc/NEWS b/Misc/NEWS
index 9f1107c..1de9c10 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
Library
-------
+- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
+ limiting the call to readline(). Original patch by Christian Heimes.
+
- Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
limiting the call to readline(). Original patch by Michał
Jastrzębski and Giampaolo Rodola.