Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to

prevent readline() calls from consuming too much memory.  Patch by Jyrki
Pulliainen.
This commit is contained in:
Georg Brandl 2013-10-27 07:23:53 +01:00
parent 72c98d3a76
commit 7e27abbb39
3 changed files with 19 additions and 2 deletions

View File

@ -32,6 +32,12 @@ CR = b'\r'
LF = b'\n' LF = b'\n'
CRLF = CR+LF CRLF = CR+LF
# maximal line length when calling readline(). This is to prevent
# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
# 512 characters, including CRLF. We have selected 2048 just to be on
# the safe side.
_MAXLINE = 2048
class POP3: class POP3:
@ -107,7 +113,10 @@ class POP3:
# Raise error_proto('-ERR EOF') if the connection is closed. # Raise error_proto('-ERR EOF') if the connection is closed.
def _getline(self): def _getline(self):
line = self.file.readline() line = self.file.readline(_MAXLINE + 1)
if len(line) > _MAXLINE:
raise error_proto('line too long')
if self._debugging > 1: print('*get*', repr(line)) if self._debugging > 1: print('*get*', repr(line))
if not line: raise error_proto('-ERR EOF') if not line: raise error_proto('-ERR EOF')
octets = len(line) octets = len(line)

View File

@ -83,7 +83,7 @@ class DummyPOP3Handler(asynchat.async_chat):
def cmd_list(self, arg): def cmd_list(self, arg):
if arg: if arg:
self.push('+OK %s %s' %(arg, arg)) self.push('+OK %s %s' % (arg, arg))
else: else:
self.push('+OK') self.push('+OK')
asynchat.async_chat.push(self, LIST_RESP) asynchat.async_chat.push(self, LIST_RESP)
@ -208,6 +208,10 @@ class TestPOP3Class(TestCase):
foo = self.client.retr('foo') foo = self.client.retr('foo')
self.assertEqual(foo, expected) self.assertEqual(foo, expected)
def test_too_long_lines(self):
self.assertRaises(poplib.error_proto, self.client._shortcmd,
'echo +%s' % ((poplib._MAXLINE + 10) * 'a'))
def test_dele(self): def test_dele(self):
self.assertOK(self.client.dele('foo')) self.assertOK(self.client.dele('foo'))

View File

@ -81,6 +81,10 @@ Core and Builtins
Library Library
------- -------
- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory. Patch by Jyrki
Pulliainen.
- Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125, - Issue #17997: Change behavior of ``ssl.match_hostname()`` to follow RFC 6125,
for security reasons. It now doesn't match multiple wildcards nor wildcards for security reasons. It now doesn't match multiple wildcards nor wildcards
inside IDN fragments. inside IDN fragments.