Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to

prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen.

Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen.
7e27abbb · Georg Brandl · 72c98d3a · 7e27abbb · 7e27abbb · 7e27abbb
Kaydet (Commit) 7e27abbb authored Eki 27, 2013 tarafından Georg Brandl
Show whitespace changes
Inline Side-by-side

Showing with 19 additions and 2 deletions

poplib.py Lib/poplib.py +10 -1

test_poplib.py Lib/test/test_poplib.py +5 -1

NEWS Misc/NEWS +4 -0

No files found.
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -32,6 +32,12 @@ CR = b'\r'
 LF = b'\n'
 CRLF = CR+LF
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
 class POP3:
@@ -107,7 +113,10 @@ class POP3:
    # Raise error_proto('-ERR EOF') if the connection is closed.
    def _getline(self):
-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise error_proto('line too long')
        if self._debugging > 1: print('*get*', repr(line))
        if not line: raise error_proto('-ERR EOF')
        octets = len(line)

--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -83,7 +83,7 @@ class DummyPOP3Handler(asynchat.async_chat):
    def cmd_list(self, arg):
        if arg:
-            self.push('+OK %s %s' %(arg, arg))
+            self.push('+OK %s %s' % (arg, arg))
        else:
            self.push('+OK')
            asynchat.async_chat.push(self, LIST_RESP)
@@ -208,6 +208,10 @@ class TestPOP3Class(TestCase):
        foo = self.client.retr('foo')
        self.assertEqual(foo, expected)
+    def test_too_long_lines(self):
+        self.assertRaises(poplib.error_proto, self.client._shortcmd,
+                          'echo +%s' % ((poplib._MAXLINE + 10) * 'a'))
    def test_dele(self):
        self.assertOK(self.client.dele('foo'))

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -81,6 +81,10 @@ Core and Builtins
 Library
 -------
+- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
+  prevent readline() calls from consuming too much memory.  Patch by Jyrki
+  Pulliainen.
 - Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
  for security reasons.  It now doesn't match multiple wildcards nor wildcards
  inside IDN fragments.