Mailman 3 September 2014 - Python-checkins

cpython (3.2): Fix-up for 0f362676460d: add missing size argument to SSLFakeFile.readline(),
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/4065c4539fcb changeset: 92671:4065c4539fcb branch: 3.2 user: Georg Brandl <georg(a)python.org> date: Tue Sep 30 16:31:21 2014 +0200 summary: Fix-up for 0f362676460d: add missing size argument to SSLFakeFile.readline(), as in 2.6 backport 8a6def3add5b files: Lib/smtplib.py | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/Lib/smtplib.py b/Lib/smtplib.py old mode 100644 new mode 100755 --- a/Lib/smtplib.py +++ b/Lib/smtplib.py @@ -189,10 +189,14 @@ def __init__(self, sslobj): self.sslobj = sslobj - def readline(self): + def readline(self, size=-1): + if size < 0: + size = None str = b"" chr = None while chr != b"\n": + if size is not None and len(str) > size: + break chr = self.sslobj.read(1) if not chr: break -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Issue #20939: Use www.example.com instead of www.python.org to avoid test
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/97c329849ef3 changeset: 92670:97c329849ef3 branch: 3.2 user: Ned Deily <nad(a)acm.org> date: Wed Mar 26 23:31:39 2014 -0700 summary: Issue #20939: Use www.example.com instead of www.python.org to avoid test failures when ssl is not present. files: Lib/test/test_urllib2net.py | 10 ++++---- Lib/test/test_urllibnet.py | 26 ++++++++++++------------ Misc/NEWS | 7 ++++++ 3 files changed, 25 insertions(+), 18 deletions(-) diff --git a/Lib/test/test_urllib2net.py b/Lib/test/test_urllib2net.py old mode 100644 new mode 100755 --- a/Lib/test/test_urllib2net.py +++ b/Lib/test/test_urllib2net.py @@ -84,7 +84,7 @@ # calling .close() on urllib2's response objects should close the # underlying socket - response = _urlopen_with_retry("http://www.python.org/") + response = _urlopen_with_retry("http://www.example.com/") sock = response.fp self.assertTrue(not sock.closed) response.close() @@ -254,7 +254,7 @@ class TimeoutTest(unittest.TestCase): def test_http_basic(self): self.assertTrue(socket.getdefaulttimeout() is None) - url = "http://www.python.org" + url = "http://www.example.com" with support.transient_internet(url, timeout=None): u = _urlopen_with_retry(url) self.addCleanup(u.close) @@ -262,7 +262,7 @@ def test_http_default_timeout(self): self.assertTrue(socket.getdefaulttimeout() is None) - url = "http://www.python.org" + url = "http://www.example.com" with support.transient_internet(url): socket.setdefaulttimeout(60) try: @@ -274,7 +274,7 @@ def test_http_no_timeout(self): self.assertTrue(socket.getdefaulttimeout() is None) - url = "http://www.python.org" + url = "http://www.example.com" with support.transient_internet(url): socket.setdefaulttimeout(60) try: @@ -285,7 +285,7 @@ self.assertTrue(u.fp.raw._sock.gettimeout() is None) def test_http_timeout(self): - url = "http://www.python.org" + url = "http://www.example.com" with support.transient_internet(url): u = _urlopen_with_retry(url, timeout=120) self.addCleanup(u.close) diff --git a/Lib/test/test_urllibnet.py b/Lib/test/test_urllibnet.py old mode 100644 new mode 100755 --- a/Lib/test/test_urllibnet.py +++ b/Lib/test/test_urllibnet.py @@ -24,8 +24,8 @@ socket.setdefaulttimeout(None) def testURLread(self): - with support.transient_internet("www.python.org"): - f = urllib.request.urlopen("http://www.python.org/") + with support.transient_internet("www.example.com"): + f = urllib.request.urlopen("http://www.example.com/") x = f.read() @@ -38,7 +38,7 @@ for transparent redirection have been written. setUp is not used for always constructing a connection to - http://www.python.org/ since there a few tests that don't use that address + http://www.example.com/ since there a few tests that don't use that address and making a connection is expensive enough to warrant minimizing unneeded connections. @@ -56,7 +56,7 @@ def test_basic(self): # Simple test expected to pass. - with self.urlopen("http://www.python.org/") as open_url: + with self.urlopen("http://www.example.com/") as open_url: for attr in ("read", "readline", "readlines", "fileno", "close", "info", "geturl"): self.assertTrue(hasattr(open_url, attr), "object returned from " @@ -65,7 +65,7 @@ def test_readlines(self): # Test both readline and readlines. - with self.urlopen("http://www.python.org/") as open_url: + with self.urlopen("http://www.example.com/") as open_url: self.assertIsInstance(open_url.readline(), bytes, "readline did not return a string") self.assertIsInstance(open_url.readlines(), list, @@ -73,7 +73,7 @@ def test_info(self): # Test 'info'. - with self.urlopen("http://www.python.org/") as open_url: + with self.urlopen("http://www.example.com/") as open_url: info_obj = open_url.info() self.assertIsInstance(info_obj, email.message.Message, "object returned by 'info' is not an " @@ -82,14 +82,14 @@ def test_geturl(self): # Make sure same URL as opened is returned by geturl. - URL = "http://www.python.org/" + URL = "http://www.example.com/" with self.urlopen(URL) as open_url: gotten_url = open_url.geturl() self.assertEqual(gotten_url, URL) def test_getcode(self): # test getcode() with the fancy opener to get 404 error codes - URL = "http://www.python.org/XXXinvalidXXX" + URL = "http://www.example.com/XXXinvalidXXX" with support.transient_internet(URL): open_url = urllib.request.FancyURLopener().open(URL) try: @@ -104,7 +104,7 @@ # test can't pass on Windows. return # Make sure fd returned by fileno is valid. - with self.urlopen("http://www.python.org/", timeout=None) as open_url: + with self.urlopen("http://www.example.com/", timeout=None) as open_url: fd = open_url.fileno() with os.fdopen(fd, 'rb') as f: self.assertTrue(f.read(), "reading from file created using fd " @@ -148,7 +148,7 @@ def test_basic(self): # Test basic functionality. - with self.urlretrieve("http://www.python.org/") as (file_location, info): + with self.urlretrieve("http://www.example.com/") as (file_location, info): self.assertTrue(os.path.exists(file_location), "file location returned by" " urlretrieve is not a valid path") with open(file_location, 'rb') as f: @@ -157,7 +157,7 @@ def test_specified_path(self): # Make sure that specifying the location of the file to write to works. - with self.urlretrieve("http://www.python.org/", + with self.urlretrieve("http://www.example.com/", support.TESTFN) as (file_location, info): self.assertEqual(file_location, support.TESTFN) self.assertTrue(os.path.exists(file_location)) @@ -166,12 +166,12 @@ def test_header(self): # Make sure header returned as 2nd value from urlretrieve is good. - with self.urlretrieve("http://www.python.org/") as (file_location, info): + with self.urlretrieve("http://www.example.com/") as (file_location, info): self.assertIsInstance(info, email.message.Message, "info is not an instance of email.message.Message") def test_data_header(self): - logo = "http://www.python.org/static/community_logos/python-logo-master-v3-TM.png" + logo = "http://www.example.com/" with self.urlretrieve(logo) as (file_location, fileheaders): datevalue = fileheaders.get('Date') dateformat = '%a, %d %b %Y %H:%M:%S GMT' diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -76,6 +76,13 @@ - Issue #21323: Fix http.server to again handle scripts in CGI subdirectories, broken by the fix for security issue #19435. Patch by Zach Byrne. +Tests +----- + +- Issue #20939: Avoid various network test failures due to new + redirect of http://www.python.org/ to https://www.python.org: + use http://www.example.com instead. + What's New in Python 3.2.5? =========================== -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/5d1c03316af7 changeset: 92669:5d1c03316af7 branch: 3.2 user: Georg Brandl <georg(a)python.org> date: Tue Sep 30 16:00:09 2014 +0200 summary: Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit line length. Patch by Emil Lind. files: Lib/imaplib.py | 14 +++++++++++++- Lib/test/test_imaplib.py | 11 +++++++++++ Misc/NEWS | 3 +++ 3 files changed, 27 insertions(+), 1 deletions(-) diff --git a/Lib/imaplib.py b/Lib/imaplib.py --- a/Lib/imaplib.py +++ b/Lib/imaplib.py @@ -42,6 +42,15 @@ IMAP4_SSL_PORT = 993 AllowedVersions = ('IMAP4REV1', 'IMAP4') # Most recent first +# Maximal line length when calling readline(). This is to prevent +# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1) +# don't specify a line length. RFC 2683 however suggests limiting client +# command lines to 1000 octets and server command lines to 8000 octets. +# We have selected 10000 for some extra margin and since that is supposedly +# also what UW and Panda IMAP does. +_MAXLINE = 10000 + + # Commands Commands = { @@ -263,7 +272,10 @@ def readline(self): """Read line from remote.""" - return self.file.readline() + line = self.file.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise self.error("got more than %d bytes" % _MAXLINE) + return line def send(self, data): diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py --- a/Lib/test/test_imaplib.py +++ b/Lib/test/test_imaplib.py @@ -309,6 +309,17 @@ self.assertEqual(ret, "OK") + def test_linetoolong(self): + class TooLongHandler(SimpleIMAPHandler): + def handle(self): + # Send a very long response line + self.wfile.write(b'* OK ' + imaplib._MAXLINE*b'x' + b'\r\n') + + with self.reaped_server(TooLongHandler) as server: + self.assertRaises(imaplib.IMAP4.error, + self.imap_class, *server.server_address) + + class ThreadedNetworkedTests(BaseThreadedNetworkedTests): server_class = socketserver.TCPServer diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ Library ------- +- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit + line length. Patch by Emil Lind. + - Issue #22421: Fix a regression that caused the pydoc server to be bound to all interfaces instead of only localhost. -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Issue #22421 - Secure pydoc server run. Bind it to localhost instead of all
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/02dae04b3e2b changeset: 92668:02dae04b3e2b branch: 3.2 user: Georg Brandl <georg(a)python.org> date: Wed Sep 17 13:17:58 2014 +0800 summary: Issue #22421 - Secure pydoc server run. Bind it to localhost instead of all interfaces. files: Lib/pydoc.py | 4 ++-- Lib/test/test_pydoc.py | 2 ++ Misc/NEWS | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Lib/pydoc.py b/Lib/pydoc.py --- a/Lib/pydoc.py +++ b/Lib/pydoc.py @@ -2431,8 +2431,8 @@ class DocServer(http.server.HTTPServer): def __init__(self, port, callback): - self.host = (sys.platform == 'mac') and '127.0.0.1' or 'localhost' - self.address = ('', port) + self.host = 'localhost' + self.address = (self.host, port) self.callback = callback self.base.__init__(self, self.address, self.handler) self.quit = False diff --git a/Lib/test/test_pydoc.py b/Lib/test/test_pydoc.py --- a/Lib/test/test_pydoc.py +++ b/Lib/test/test_pydoc.py @@ -510,6 +510,8 @@ return text serverthread = pydoc._start_server(my_url_handler, port=0) + self.assertIn('localhost', serverthread.docserver.address) + starttime = time.time() timeout = 1 #seconds diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ Library ------- +- Issue #22421: Fix a regression that caused the pydoc server to be bound to + all interfaces instead of only localhost. + - Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes and send a 414 error code for higher lengths. Patch contributed by Devin Cook. -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Lax cookie parsing in http.cookies could be a security issue when combined
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/5cfe74a9bfa4 changeset: 92667:5cfe74a9bfa4 branch: 3.2 user: Antoine Pitrou <solipsis(a)pitrou.net> date: Wed Sep 17 00:23:55 2014 +0200 summary: Lax cookie parsing in http.cookies could be a security issue when combined with non-standard cookie handling in some Web browsers. Reported by Sergey Bobrov. files: Lib/http/cookies.py | 3 ++- Lib/test/test_http_cookies.py | 9 +++++++++ Misc/ACKS | 1 + Misc/NEWS | 4 ++++ 4 files changed, 16 insertions(+), 1 deletions(-) diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py --- a/Lib/http/cookies.py +++ b/Lib/http/cookies.py @@ -432,6 +432,7 @@ _LegalCharsPatt = r"[\w\d!#%&'~_`><@,:/\$\*\+\-\.\^\|\)\(\?\}\{\=]" _CookiePattern = re.compile(r""" (?x) # This is a verbose pattern + \s* # Optional whitespace at start of cookie (?P<key> # Start of group 'key' """ + _LegalCharsPatt + r"""+? # Any word of at least one letter ) # End of group 'key' @@ -532,7 +533,7 @@ while 0 <= i < n: # Start looking for a cookie - match = patt.search(str, i) + match = patt.match(str, i) if not match: # No more cookies break diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py --- a/Lib/test/test_http_cookies.py +++ b/Lib/test/test_http_cookies.py @@ -132,6 +132,15 @@ </script> """) + def test_invalid_cookies(self): + # Accepting these could be a security issue + C = cookies.SimpleCookie() + for s in (']foo=x', '[foo=x', 'blah]foo=x', 'blah[foo=x'): + C.load(s) + self.assertEqual(dict(C), {}) + self.assertEqual(C.output(), '') + + class MorselTests(unittest.TestCase): """Tests for the Morsel object.""" diff --git a/Misc/ACKS b/Misc/ACKS --- a/Misc/ACKS +++ b/Misc/ACKS @@ -117,6 +117,7 @@ Pablo Bleyer Erik van Blokland Eric Blossom +Sergey Bobrov Finn Bock Paul Boddie Matthew Boedicker diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -37,6 +37,10 @@ strings for ``rfc822Name`` (email), ``dNSName`` (DNS) and ``uniformResourceIdentifier`` (URI). +- Lax cookie parsing in http.cookies could be a security issue when combined + with non-standard cookie handling in some Web browsers. Reported by + Sergey Bobrov. + - Issue #21766: Prevent a security hole in CGIHTTPServer by URL unquoting paths before checking for a CGI script at that path. -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/0d115d14adfd changeset: 92666:0d115d14adfd branch: 3.2 user: Georg Brandl <georg(a)python.org> date: Tue Sep 30 14:56:46 2014 +0200 summary: Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes and send a 414 error code for higher lengths. Patch contributed by Devin Cook. files: Lib/test/test_wsgiref.py | 5 +++++ Lib/wsgiref/simple_server.py | 9 ++++++++- Misc/ACKS | 1 + Misc/NEWS | 4 ++++ 4 files changed, 18 insertions(+), 1 deletions(-) diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py --- a/Lib/test/test_wsgiref.py +++ b/Lib/test/test_wsgiref.py @@ -114,6 +114,11 @@ out, err = run_amock() self.check_hello(out) + def test_request_length(self): + out, err = run_amock(data=b"GET " + (b"x" * 65537) + b" HTTP/1.0\n\n") + self.assertEqual(out.splitlines()[0], + b"HTTP/1.0 414 Request-URI Too Long") + def test_validated_hello(self): out, err = run_amock(validator(hello_app)) # the middleware doesn't support len(), so content-length isn't there diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py --- a/Lib/wsgiref/simple_server.py +++ b/Lib/wsgiref/simple_server.py @@ -114,7 +114,14 @@ def handle(self): """Handle a single HTTP request""" - self.raw_requestline = self.rfile.readline() + self.raw_requestline = self.rfile.readline(65537) + if len(self.raw_requestline) > 65536: + self.requestline = '' + self.request_version = '' + self.command = '' + self.send_error(414) + return + if not self.parse_request(): # An error code has been sent, just exit return diff --git a/Misc/ACKS b/Misc/ACKS --- a/Misc/ACKS +++ b/Misc/ACKS @@ -219,6 +219,7 @@ Geremy Condra Juan José Conti Matt Conway +Devin Cook David M. Cooke Jason R. Coombs Garrett Cooper diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,10 @@ Library ------- +- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to + 65536 bytes and send a 414 error code for higher lengths. Patch contributed + by Devin Cook. + - Issue #22517: When a io.BufferedRWPair object is deallocated, clear its weakrefs. -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/4fa5239624b8 changeset: 92665:4fa5239624b8 branch: 3.2 parent: 92663:76be07730f8d user: Georg Brandl <georg(a)python.org> date: Tue Sep 30 14:54:39 2014 +0200 summary: Issue #22517: When a io.BufferedRWPair object is deallocated, clear its weakrefs. files: Lib/test/test_io.py | 6 ++++++ Misc/NEWS | 3 +++ Modules/_io/bufferedio.c | 2 ++ 3 files changed, 11 insertions(+), 0 deletions(-) diff --git a/Lib/test/test_io.py b/Lib/test/test_io.py --- a/Lib/test/test_io.py +++ b/Lib/test/test_io.py @@ -1454,6 +1454,12 @@ pair = self.tp(SelectableIsAtty(True), SelectableIsAtty(True)) self.assertTrue(pair.isatty()) + def test_weakref_clearing(self): + brw = self.tp(self.MockRawIO(), self.MockRawIO()) + ref = weakref.ref(brw) + brw = None + ref = None # Shouldn't segfault. + class CBufferedRWPairTest(BufferedRWPairTest): tp = io.BufferedRWPair diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ Library ------- +- Issue #22517: When a io.BufferedRWPair object is deallocated, clear its + weakrefs. + - Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen. diff --git a/Modules/_io/bufferedio.c b/Modules/_io/bufferedio.c --- a/Modules/_io/bufferedio.c +++ b/Modules/_io/bufferedio.c @@ -2141,6 +2141,8 @@ bufferedrwpair_dealloc(rwpair *self) { _PyObject_GC_UNTRACK(self); + if (self->weakreflist != NULL) + PyObject_ClearWeakRefs((PyObject *)self); Py_CLEAR(self->reader); Py_CLEAR(self->writer); Py_CLEAR(self->dict); -- Repository URL: https://hg.python.org/cpython

1 0

cpython: Remove pointless "vile hack" that can cause the build step to fail when some
by antoine.pitrou Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/94af1af93670 changeset: 92664:94af1af93670 parent: 92657:6e7d923dfd2a user: Antoine Pitrou <solipsis(a)pitrou.net> date: Tue Sep 30 14:58:22 2014 +0200 summary: Remove pointless "vile hack" that can cause the build step to fail when some extension modules can't be imported. See issue #5309 for the build failures, issue #458343 for the original motivation. files: Lib/distutils/command/build_ext.py | 11 ++--------- setup.py | 11 ----------- 2 files changed, 2 insertions(+), 20 deletions(-) diff --git a/Lib/distutils/command/build_ext.py b/Lib/distutils/command/build_ext.py --- a/Lib/distutils/command/build_ext.py +++ b/Lib/distutils/command/build_ext.py @@ -545,15 +545,8 @@ extra_postargs=extra_args, depends=ext.depends) - # XXX -- this is a Vile HACK! - # - # The setup.py script for Python on Unix needs to be able to - # get this list so it can perform all the clean up needed to - # avoid keeping object files around when cleaning out a failed - # build of an extension module. Since Distutils does not - # track dependencies, we have to get rid of intermediates to - # ensure all the intermediates will be properly re-built. - # + # XXX outdated variable, kept here in case third-part code + # needs it. self._built_objects = objects[:] # Now link the object files together into a "shared object" -- diff --git a/setup.py b/setup.py --- a/setup.py +++ b/setup.py @@ -381,17 +381,6 @@ os.remove(newname) os.rename(ext_filename, newname) - # XXX -- This relies on a Vile HACK in - # distutils.command.build_ext.build_extension(). The - # _built_objects attribute is stored there strictly for - # use here. - # If there is a failure, _built_objects may not be there, - # so catch the AttributeError and move on. - try: - for filename in self._built_objects: - os.remove(filename) - except AttributeError: - self.announce('unable to remove files (ignored)') except: exc_type, why, tb = sys.exc_info() self.announce('*** WARNING: importing extension "%s" ' -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/0f362676460d changeset: 92662:0f362676460d branch: 3.2 user: Georg Brandl <georg(a)python.org> date: Tue Sep 30 14:18:02 2014 +0200 summary: Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by limiting the call to readline(). Original patch by Christian Heimes. files: Lib/smtplib.py | 5 +++- Lib/test/mock_socket.py | 9 ++++++- Lib/test/test_smtplib.py | 30 +++++++++++++++++++++++++++- Misc/NEWS | 3 ++ 4 files changed, 43 insertions(+), 4 deletions(-) diff --git a/Lib/smtplib.py b/Lib/smtplib.py --- a/Lib/smtplib.py +++ b/Lib/smtplib.py @@ -62,6 +62,7 @@ SMTP_SSL_PORT = 465 CRLF = "\r\n" bCRLF = b"\r\n" +_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3 OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I) @@ -363,7 +364,7 @@ self.file = self.sock.makefile('rb') while 1: try: - line = self.file.readline() + line = self.file.readline(_MAXLINE + 1) except socket.error as e: self.close() raise SMTPServerDisconnected("Connection unexpectedly closed: " @@ -373,6 +374,8 @@ raise SMTPServerDisconnected("Connection unexpectedly closed") if self.debuglevel > 0: print('reply:', repr(line), file=stderr) + if len(line) > _MAXLINE: + raise SMTPResponseException(500, "Line too long.") resp.append(line[4:].strip(b' \t\r\n')) code = line[:3] # Check that the error code is syntactically correct. diff --git a/Lib/test/mock_socket.py b/Lib/test/mock_socket.py --- a/Lib/test/mock_socket.py +++ b/Lib/test/mock_socket.py @@ -21,8 +21,13 @@ """ def __init__(self, lines): self.lines = lines - def readline(self): - return self.lines.pop(0) + b'\r\n' + def readline(self, limit=-1): + result = self.lines.pop(0) + b'\r\n' + if limit >= 0: + # Re-insert the line, removing the \r\n we added. + self.lines.insert(0, result[limit:-2]) + result = result[:limit] + return result def close(self): pass diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py --- a/Lib/test/test_smtplib.py +++ b/Lib/test/test_smtplib.py @@ -537,6 +537,33 @@ HOST, self.port, 'localhost', 3) +(a)unittest.skipUnless(threading, 'Threading required for this test.') +class TooLongLineTests(unittest.TestCase): + respdata = b'250 OK' + (b'.' * smtplib._MAXLINE * 2) + b'\n' + + def setUp(self): + self.old_stdout = sys.stdout + self.output = io.StringIO() + sys.stdout = self.output + + self.evt = threading.Event() + self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.sock.settimeout(15) + self.port = support.bind_port(self.sock) + servargs = (self.evt, self.respdata, self.sock) + threading.Thread(target=server, args=servargs).start() + self.evt.wait() + self.evt.clear() + + def tearDown(self): + self.evt.wait() + sys.stdout = self.old_stdout + + def testLineTooLong(self): + self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP, + HOST, self.port, 'localhost', 3) + + sim_users = {'Mr.A(a)somewhere.com':'John A', 'Ms.B(a)xn--fo-fka.com':'Sally B', 'Mrs.C(a)somewhereesle.com':'Ruth C', @@ -826,7 +853,8 @@ def test_main(verbose=None): support.run_unittest(GeneralTests, DebuggingServerTests, NonConnectingTests, - BadHELOServerTests, SMTPSimTests) + BadHELOServerTests, SMTPSimTests, + TooLongLineTests) if __name__ == '__main__': test_main() diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ Library ------- +- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by + limiting the call to readline(). Original patch by Christian Heimes. + - Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by limiting the call to readline(). Original patch by Michał Jastrzębski and Giampaolo Rodola. -- Repository URL: https://hg.python.org/cpython

1 0

cpython (3.2): Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
by georg.brandl Sept. 30, 2014

Sept. 30, 2014

https://hg.python.org/cpython/rev/76be07730f8d changeset: 92663:76be07730f8d branch: 3.2 user: Georg Brandl <georg(a)python.org> date: Tue Sep 30 14:45:39 2014 +0200 summary: Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen. files: Lib/poplib.py | 11 ++++++++++- Lib/test/test_poplib.py | 6 +++++- Misc/NEWS | 4 ++++ 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Lib/poplib.py b/Lib/poplib.py --- a/Lib/poplib.py +++ b/Lib/poplib.py @@ -32,6 +32,12 @@ LF = b'\n' CRLF = CR+LF +# maximal line length when calling readline(). This is to prevent +# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to +# 512 characters, including CRLF. We have selected 2048 just to be on +# the safe side. +_MAXLINE = 2048 + class POP3: @@ -107,7 +113,10 @@ # Raise error_proto('-ERR EOF') if the connection is closed. def _getline(self): - line = self.file.readline() + line = self.file.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise error_proto('line too long') + if self._debugging > 1: print('*get*', repr(line)) if not line: raise error_proto('-ERR EOF') octets = len(line) diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py --- a/Lib/test/test_poplib.py +++ b/Lib/test/test_poplib.py @@ -83,7 +83,7 @@ def cmd_list(self, arg): if arg: - self.push('+OK %s %s' %(arg, arg)) + self.push('+OK %s %s' % (arg, arg)) else: self.push('+OK') asynchat.async_chat.push(self, LIST_RESP) @@ -204,6 +204,10 @@ foo = self.client.retr('foo') self.assertEqual(foo, expected) + def test_too_long_lines(self): + self.assertRaises(poplib.error_proto, self.client._shortcmd, + 'echo +%s' % ((poplib._MAXLINE + 10) * 'a')) + def test_dele(self): self.assertOK(self.client.dele('foo')) diff --git a/Misc/NEWS b/Misc/NEWS --- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,10 @@ Library ------- +- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to + prevent readline() calls from consuming too much memory. Patch by Jyrki + Pulliainen. + - Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by limiting the call to readline(). Original patch by Christian Heimes. -- Repository URL: https://hg.python.org/cpython

1 0