[Python-checkins] cpython (2.6): #16042: CVE-2013-1752: Limit amount of data read by limiting the call to

andrew.kuchling python-checkins at python.org
Sun Sep 15 19:15:13 CEST 2013 

http://hg.python.org/cpython/rev/8a6def3add5b
changeset:   85714:8a6def3add5b
branch:      2.6
parent:      85537:07ee48ce4513
user:        Andrew Kuchling <amk at amk.ca>
date:        Sun Sep 15 13:11:47 2013 -0400
summary:
  #16042: CVE-2013-1752: Limit amount of data read by limiting the call to readline().

The SSLFakeFile.readline() method needs to support limiting readline() as
well.  It's not a full emulation of readline()'s signature, but this class
is only used by smtplib's code, so it doesn't have to be.

Modified version of original patch by Christian Heimes.

files:
  Lib/smtplib.py           |  13 +++++++++--
  Lib/test/test_smtplib.py |  29 +++++++++++++++++++++++++++-
  Misc/NEWS                |   5 +++-
  3 files changed, 42 insertions(+), 5 deletions(-)


diff --git a/Lib/smtplib.py b/Lib/smtplib.py
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -57,6 +57,7 @@
 SMTP_PORT = 25
 SMTP_SSL_PORT = 465
 CRLF="\r\n"
+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
 
 OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
 
@@ -170,10 +171,14 @@
         def __init__(self, sslobj):
             self.sslobj = sslobj
 
-        def readline(self):
+        def readline(self, size=-1):
+            if size < 0:
+                size = None
             str = ""
             chr = None
             while chr != "\n":
+                if size is not None and len(str) >= size:
+                    break
                 chr = self.sslobj.read(1)
                 if not chr: break
                 str += chr
@@ -334,11 +339,13 @@
         if self.file is None:
             self.file = self.sock.makefile('rb')
         while 1:
-            line = self.file.readline()
+            line = self.file.readline(_MAXLINE + 1)
             if line == '':
                 self.close()
                 raise SMTPServerDisconnected("Connection unexpectedly closed")
-            if self.debuglevel > 0: print>>stderr, 'reply:', repr(line)
+            if self.debuglevel > 0: print >>stderr, 'reply:', repr(line)
+            if len(line) > _MAXLINE:
+                raise SMTPResponseException(500, "Line too long.")
             resp.append(line[4:].strip())
             code=line[:3]
             # Check that the error code is syntactically correct.
diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py
--- a/Lib/test/test_smtplib.py
+++ b/Lib/test/test_smtplib.py
@@ -273,6 +273,32 @@
                             HOST, self.port, 'localhost', 3)
 
 
+class TooLongLineTests(TestCase):
+    respdata = '250 OK' + ('.' * smtplib._MAXLINE * 2) + '\n'
+
+    def setUp(self):
+        self.old_stdout = sys.stdout
+        self.output = StringIO.StringIO()
+        sys.stdout = self.output
+
+        self.evt = threading.Event()
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.settimeout(15)
+        self.port = test_support.bind_port(self.sock)
+        servargs = (self.evt, self.respdata, self.sock)
+        threading.Thread(target=server, args=servargs).start()
+        self.evt.wait()
+        self.evt.clear()
+
+    def tearDown(self):
+        self.evt.wait()
+        sys.stdout = self.old_stdout
+
+    def testLineTooLong(self):
+        self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
+                          HOST, self.port, 'localhost', 3)
+
+
 sim_users = {'Mr.A at somewhere.com':'John A',
              'Ms.B at somewhere.com':'Sally B',
              'Mrs.C at somewhereesle.com':'Ruth C',
@@ -482,7 +508,8 @@
 def test_main(verbose=None):
     test_support.run_unittest(GeneralTests, DebuggingServerTests,
                               NonConnectingTests,
-                              BadHELOServerTests, SMTPSimTests)
+                              BadHELOServerTests, SMTPSimTests,
+                              TooLongLineTests)
 
 if __name__ == '__main__':
     test_main()
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,13 +16,16 @@
 - Issue #16248: Disable code execution from the user's home directory by
   tkinter when the -E flag is passed to Python.  Patch by Zachary Ware.
 
+- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
+  limiting the call to readline().  Original patch by Christian Heimes.
+
 Extension Modules
 -----------------
 
 - Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
   inside subjectAltName correctly. Formerly the module has used OpenSSL's
   GENERAL_NAME_print() function to get the string represention of ASN.1
-  strings for `rfc822Name` (email), `dNSName` (DNS) and 
+  strings for `rfc822Name` (email), `dNSName` (DNS) and
   `uniformResourceIdentifier` (URI).
 
 

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list