- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much member. Patch by Jyrki
Pulliainen.
diff --git a/Lib/poplib.py b/Lib/poplib.py
index e2b33ef..3283eb6 100644
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -32,6 +32,12 @@
LF = '\n'
CRLF = CR+LF
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+
class POP3:
@@ -103,7 +109,10 @@
# Raise error_proto('-ERR EOF') if the connection is closed.
def _getline(self):
- line = self.file.readline()
+ line = self.file.readline(_MAXLINE + 1)
+ if len(line) > _MAXLINE:
+ raise error_proto('line too long')
+
if self._debugging > 1: print '*get*', repr(line)
if not line: raise error_proto('-ERR EOF')
octets = len(line)
@@ -363,7 +372,10 @@
line = ""
renewline = re.compile(r'.*?\n')
match = renewline.match(self.buffer)
+
while not match:
+ if len(self.buffer) > _MAXLINE:
+ raise error_proto('line too long')
self._fillBuffer()
match = renewline.match(self.buffer)
line = match.group(0)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index 18ed224..a4107ce 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -1,3 +1,4 @@
+import os
import socket
import threading
import poplib
@@ -21,6 +22,34 @@
serv.close()
evt.set()
+
+def evil_server(evt, serv, use_ssl=False):
+ serv.listen(5)
+ try:
+ conn, addr = serv.accept()
+ if use_ssl:
+ conn = ssl.wrap_socket(
+ conn,
+ server_side=True,
+ certfile=CERTFILE,
+ )
+ except socket.timeout:
+ pass
+ else:
+ if use_ssl:
+ try:
+ conn.do_handshake()
+ except ssl.SSLError, err:
+ if err.args[0] not in (ssl.SSL_ERROR_WANT_READ,
+ ssl.SSL_ERROR_WANT_WRITE):
+ raise
+ conn.send("+ Hola mundo" * 1000 + "\n")
+ conn.close()
+ finally:
+ serv.close()
+ evt.set()
+
+
class GeneralTests(TestCase):
def setUp(self):
@@ -65,8 +94,50 @@
pop.sock.close()
+class EvilServerTests(TestCase):
+ use_ssl = False
+
+ def setUp(self):
+ self.evt = threading.Event()
+ self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ self.sock.settimeout(3)
+ self.port = test_support.bind_port(self.sock)
+ threading.Thread(
+ target=evil_server,
+ args=(self.evt, self.sock, self.use_ssl)).start()
+ time.sleep(.1)
+
+ def tearDown(self):
+ self.evt.wait()
+
+ def testTooLongLines(self):
+ self.assertRaises(poplib.error_proto, poplib.POP3,
+ 'localhost', self.port, timeout=30)
+
+
+SUPPORTS_SSL = False
+
+if hasattr(poplib, 'POP3_SSL'):
+ import ssl
+
+ SUPPORTS_SSL = True
+ CERTFILE = os.path.join(os.path.dirname(__file__) or os.curdir,
+ "keycert.pem")
+
+ class EvilSSLServerTests(EvilServerTests):
+ use_ssl = True
+
+ def testTooLongLines(self):
+ self.assertRaises(poplib.error_proto, poplib.POP3_SSL,
+ 'localhost', self.port)
+
+
def test_main(verbose=None):
test_support.run_unittest(GeneralTests)
+ test_support.run_unittest(EvilServerTests)
+
+ if SUPPORTS_SSL:
+ test_support.run_unittest(EvilSSLServerTests)
if __name__ == '__main__':
test_main()
diff --git a/Misc/NEWS b/Misc/NEWS
index 0f31f1e..b9d7746 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,15 +13,22 @@
Library
-------
-- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more
- than 100 headers are read. Adapted from patch by Jyrki Pulliainen.
+- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
+ limiting the call to readline(). Original patch by Christian Heimes.
+
+- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
+ prevent readline() calls from consuming too much member. Patch by Jyrki
+ Pulliainen.
+
+- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
+ limit line length. Patch by Emil Lind.
- Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
limiting the call to readline(). Original patch by Michał
Jastrzębski and Giampaolo Rodola.
-- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
- limit line length. Patch by Emil Lind.
+- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more
+ than 100 headers are read. Adapted from patch by Jyrki Pulliainen.
- Issue #14984: On POSIX systems, when netrc is called without a filename
argument (and therefore is reading the user's $HOME/.netrc file), it now
@@ -32,8 +39,6 @@
- Issue #16248: Disable code execution from the user's home directory by
tkinter when the -E flag is passed to Python. Patch by Zachary Ware.
-- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
- limiting the call to readline(). Original patch by Christian Heimes.
Extension Modules
-----------------