From eaca8616ab0e219ebb5cf37d495f4bf336ec0f5e Mon Sep 17 00:00:00 2001
From: Georg Brandl <georg@python.org>
Date: Tue, 30 Sep 2014 14:45:39 +0200
Subject: Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to
 2048 to prevent readline() calls from consuming too much memory.  Patch by
 Jyrki Pulliainen.

---
 Lib/poplib.py           | 11 ++++++++++-
 Lib/test/test_poplib.py |  6 +++++-
 Misc/NEWS               |  4 ++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/Lib/poplib.py b/Lib/poplib.py
index 84ea88d..13e0f71 100644
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -32,6 +32,12 @@ CR = b'\r'
 LF = b'\n'
 CRLF = CR+LF
 
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+
 
 class POP3:
 
@@ -107,7 +113,10 @@ class POP3:
     # Raise error_proto('-ERR EOF') if the connection is closed.
 
     def _getline(self):
-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise error_proto('line too long')
+
         if self._debugging > 1: print('*get*', repr(line))
         if not line: raise error_proto('-ERR EOF')
         octets = len(line)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index e3901b8..17b2261 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -83,7 +83,7 @@ class DummyPOP3Handler(asynchat.async_chat):
 
     def cmd_list(self, arg):
         if arg:
-            self.push('+OK %s %s' %(arg, arg))
+            self.push('+OK %s %s' % (arg, arg))
         else:
             self.push('+OK')
             asynchat.async_chat.push(self, LIST_RESP)
@@ -204,6 +204,10 @@ class TestPOP3Class(TestCase):
         foo = self.client.retr('foo')
         self.assertEqual(foo, expected)
 
+    def test_too_long_lines(self):
+        self.assertRaises(poplib.error_proto, self.client._shortcmd,
+                          'echo +%s' % ((poplib._MAXLINE + 10) * 'a'))
+
     def test_dele(self):
         self.assertOK(self.client.dele('foo'))
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 1de9c10..44b0e96 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,10 @@ What's New in Python 3.2.6?
 Library
 -------
 
+- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
+  prevent readline() calls from consuming too much memory.  Patch by Jyrki
+  Pulliainen.
+
 - Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
   limiting the call to readline().  Original patch by Christian Heimes.
 
-- 
cgit v0.12