commit c11435399e7af8317e5a51642ee665347da2b97f
author Georg Brandl <georg@python.org> Sat Jan 25 09:02:18 2014 +0100
committer Georg Brandl <georg@python.org> Sat Jan 25 09:02:18 2014 +0100
tree 45a63ff03df5fda7b9e3c697331165ea5b22bbc0
parent f580d5b6f7468abf768a2ee6360168ad92893457

#16042: CVE-2013-1752: smtplib fix for unlimited readline() from socket

Lib/smtplib.py

diff --git a/Lib/smtplib.py b/Lib/smtplib.py
index 072b973..57f181b 100755
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -62,6 +62,7 @@
 SMTP_SSL_PORT = 465
 CRLF = "\r\n"
 bCRLF = b"\r\n"
+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
 
 OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
 
@@ -364,7 +365,7 @@
             self.file = self.sock.makefile('rb')
         while 1:
             try:
-                line = self.file.readline()
+                line = self.file.readline(_MAXLINE + 1)
             except socket.error as e:
                 self.close()
                 raise SMTPServerDisconnected("Connection unexpectedly closed: "
@@ -374,6 +375,8 @@
                 raise SMTPServerDisconnected("Connection unexpectedly closed")
             if self.debuglevel > 0:
                 print('reply:', repr(line), file=stderr)
+            if len(line) > _MAXLINE:
+                raise SMTPResponseException(500, "Line too long.")
             resp.append(line[4:].strip(b' \t\r\n'))
             code = line[:3]
             # Check that the error code is syntactically correct.