[Python-checkins] cpython (3.2): Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
georg.brandl
python-checkins at python.org
Tue Sep 30 16:03:18 CEST 2014
https://hg.python.org/cpython/rev/5d1c03316af7
changeset: 92669:5d1c03316af7
branch: 3.2
user: Georg Brandl <georg at python.org>
date: Tue Sep 30 16:00:09 2014 +0200
summary:
Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
line length. Patch by Emil Lind.
files:
Lib/imaplib.py | 14 +++++++++++++-
Lib/test/test_imaplib.py | 11 +++++++++++
Misc/NEWS | 3 +++
3 files changed, 27 insertions(+), 1 deletions(-)
diff --git a/Lib/imaplib.py b/Lib/imaplib.py
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@@ -42,6 +42,15 @@
IMAP4_SSL_PORT = 993
AllowedVersions = ('IMAP4REV1', 'IMAP4') # Most recent first
+# Maximal line length when calling readline(). This is to prevent
+# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1)
+# don't specify a line length. RFC 2683 however suggests limiting client
+# command lines to 1000 octets and server command lines to 8000 octets.
+# We have selected 10000 for some extra margin and since that is supposedly
+# also what UW and Panda IMAP does.
+_MAXLINE = 10000
+
+
# Commands
Commands = {
@@ -263,7 +272,10 @@
def readline(self):
"""Read line from remote."""
- return self.file.readline()
+ line = self.file.readline(_MAXLINE + 1)
+ if len(line) > _MAXLINE:
+ raise self.error("got more than %d bytes" % _MAXLINE)
+ return line
def send(self, data):
diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -309,6 +309,17 @@
self.assertEqual(ret, "OK")
+ def test_linetoolong(self):
+ class TooLongHandler(SimpleIMAPHandler):
+ def handle(self):
+ # Send a very long response line
+ self.wfile.write(b'* OK ' + imaplib._MAXLINE*b'x' + b'\r\n')
+
+ with self.reaped_server(TooLongHandler) as server:
+ self.assertRaises(imaplib.IMAP4.error,
+ self.imap_class, *server.server_address)
+
+
class ThreadedNetworkedTests(BaseThreadedNetworkedTests):
server_class = socketserver.TCPServer
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@
Library
-------
+- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
+ line length. Patch by Emil Lind.
+
- Issue #22421: Fix a regression that caused the pydoc server to be bound to
all interfaces instead of only localhost.
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list