diff options
| -rw-r--r-- | Lib/poplib.py | 12 | ||||
| -rw-r--r-- | Lib/test/test_poplib.py | 4 | ||||
| -rw-r--r-- | Misc/NEWS | 3 |
3 files changed, 18 insertions, 1 deletions
diff --git a/Lib/poplib.py b/Lib/poplib.py index dc7cbdf..b91e5f7 100644 --- a/Lib/poplib.py +++ b/Lib/poplib.py @@ -32,6 +32,12 @@ CR = '\r' LF = '\n' CRLF = CR+LF +# maximal line length when calling readline(). This is to prevent +# reading arbitrary length lines. RFC 1939 limits POP3 line length to +# 512 characters, including CRLF. We have selected 2048 just to be on +# the safe side. +_MAXLINE = 2048 + class POP3: @@ -103,7 +109,9 @@ class POP3: # Raise error_proto('-ERR EOF') if the connection is closed. def _getline(self): - line = self.file.readline() + line = self.file.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise error_proto('line too long') if self._debugging > 1: print '*get*', repr(line) if not line: raise error_proto('-ERR EOF') octets = len(line) @@ -365,6 +373,8 @@ else: match = renewline.match(self.buffer) while not match: self._fillBuffer() + if len(self.buffer) > _MAXLINE: + raise error_proto('line too long') match = renewline.match(self.buffer) line = match.group(0) self.buffer = renewline.sub('' ,self.buffer, 1) diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py index af48fdd..23d6887 100644 --- a/Lib/test/test_poplib.py +++ b/Lib/test/test_poplib.py @@ -198,6 +198,10 @@ class TestPOP3Class(TestCase): 113) self.assertEqual(self.client.retr('foo'), expected) + def test_too_long_lines(self): + self.assertRaises(poplib.error_proto, self.client._shortcmd, + 'echo +%s' % ((poplib._MAXLINE + 10) * 'a')) + def test_dele(self): self.assertOK(self.client.dele('foo')) @@ -10,6 +10,9 @@ What's New in Python 2.7.9? Library ------- +- Issue #16041: In poplib, limit maximum line length read from the server to + prevent CVE-2013-1752. + - Issue #22960: Add a context argument to xmlrpclib.ServerProxy. |