summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGeorg Brandl <georg@python.org>2013-10-27 06:23:53 (GMT)
committerGeorg Brandl <georg@python.org>2013-10-27 06:23:53 (GMT)
commit7e27abbb3936e9a7baea13ceeac6abd256bc0d6f (patch)
tree6ee857cd02820aa984dddf6d9b8c5fc21cb9ffbe
parent72c98d3a761457a4f2b8054458b19f051dfb5886 (diff)
downloadcpython-7e27abbb3936e9a7baea13ceeac6abd256bc0d6f.zip
cpython-7e27abbb3936e9a7baea13ceeac6abd256bc0d6f.tar.gz
cpython-7e27abbb3936e9a7baea13ceeac6abd256bc0d6f.tar.bz2
Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen.
-rw-r--r--Lib/poplib.py11
-rw-r--r--Lib/test/test_poplib.py6
-rw-r--r--Misc/NEWS4
3 files changed, 19 insertions, 2 deletions
diff --git a/Lib/poplib.py b/Lib/poplib.py
index 84f1889..43f8305 100644
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -32,6 +32,12 @@ CR = b'\r'
LF = b'\n'
CRLF = CR+LF
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+
class POP3:
@@ -107,7 +113,10 @@ class POP3:
# Raise error_proto('-ERR EOF') if the connection is closed.
def _getline(self):
- line = self.file.readline()
+ line = self.file.readline(_MAXLINE + 1)
+ if len(line) > _MAXLINE:
+ raise error_proto('line too long')
+
if self._debugging > 1: print('*get*', repr(line))
if not line: raise error_proto('-ERR EOF')
octets = len(line)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index c0929a0..28e6a6b 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -83,7 +83,7 @@ class DummyPOP3Handler(asynchat.async_chat):
def cmd_list(self, arg):
if arg:
- self.push('+OK %s %s' %(arg, arg))
+ self.push('+OK %s %s' % (arg, arg))
else:
self.push('+OK')
asynchat.async_chat.push(self, LIST_RESP)
@@ -208,6 +208,10 @@ class TestPOP3Class(TestCase):
foo = self.client.retr('foo')
self.assertEqual(foo, expected)
+ def test_too_long_lines(self):
+ self.assertRaises(poplib.error_proto, self.client._shortcmd,
+ 'echo +%s' % ((poplib._MAXLINE + 10) * 'a'))
+
def test_dele(self):
self.assertOK(self.client.dele('foo'))
diff --git a/Misc/NEWS b/Misc/NEWS
index 9b6d5f5..09cb599 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -81,6 +81,10 @@ Core and Builtins
Library
-------
+- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
+ prevent readline() calls from consuming too much memory. Patch by Jyrki
+ Pulliainen.
+
- Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments.