Commit Graph

34 Commits

Author SHA1 Message Date
Benjamin Peterson e052d40cea
[2.7] bpo-32981: Fix catastrophic backtracking vulns (GH-5955)
* Prevent low-grade poplib REDOS (CVE-2018-1060)

The regex to test a mail server's timestamp is susceptible to
catastrophic backtracking on long evil responses from the server.

Happily, the maximum length of malicious inputs is 2K thanks
to a limit introduced in the fix for CVE-2013-1752.

A 2KB evil response from the mail server would result in small slowdowns
(milliseconds vs. microseconds) accumulated over many apop calls.
This is a potential DOS vector via accumulated slowdowns.

Replace it with a similar non-vulnerable regex.

The new regex is RFC compliant.
The old regex was non-compliant in edge cases.

* Prevent difflib REDOS (CVE-2018-1061)

The default regex for IS_LINE_JUNK is susceptible to
catastrophic backtracking.
This is a potential DOS vector.

Replace it with an equivalent non-vulnerable regex.

Also introduce unit and REDOS tests for difflib.

Co-authored-by: Tim Peters <tim.peters@gmail.com>
Co-authored-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 0e6c8ee235)
2018-03-03 22:18:17 -08:00
Benjamin Peterson faad6bbea6 in poplib, limit maximum line length that we read from the network (closes #16041)
Patch from Berker Peksag.
2014-12-05 20:02:38 -05:00
Ezio Melotti f5469cff1f #18705: fix a number of typos. Patch by Févry Thibault. 2013-08-17 15:43:51 +03:00
Facundo Batista 4f1b1ed975 Fixed the semantic of timeout for socket.create_connection and
all the upper level libraries that use it, including urllib2.
Added and fixed some tests, and changed docs correspondingly.
Thanks to John J Lee for the patch and the pusing, :)
2008-05-29 16:39:26 +00:00
Raymond Hettinger ce956842e2 Fix-up docstring 2008-05-17 04:13:36 +00:00
Bill Janssen 98d19dafd9 More work on SSL support.
* Much expanded test suite:

  All protocols tested against all other protocols.
  All protocols tested with all certificate options.
  Tests for bad key and bad cert.
  Test of STARTTLS functionality.
  Test of RAND_* functions.

* Fixes for threading/malloc bug.

* Issue 1065 fixed:

  sslsocket class renamed to SSLSocket.
  sslerror class renamed to SSLError.
  Function "wrap_socket" now used to wrap an existing socket.

* Issue 1583946 finally fixed:

  Support for subjectAltName added.
  Subject name now returned as proper DN list of RDNs.

* SSLError exported from socket as "sslerror".

* RAND_* functions properly exported from ssl.py.

* Documentation improved:

  Example of how to create a self-signed certificate.
  Better indexing.
2007-09-10 21:51:02 +00:00
Thomas Wouters a6900e8d72 Don't lie in __all__ attributes when SSL is not available: only add the SSL
classes when they are actually created.
2007-08-30 21:54:39 +00:00
Bill Janssen 426ea0a864 This contains a number of things:
1) Improve the documentation of the SSL module, with a fuller
   explanation of certificate usage, another reference, proper
   formatting of this and that.

2) Fix Windows bug in ssl.py, and general bug in sslsocket.close().
   Remove some unused code from ssl.py.  Allow accept() to be called on
   sslsocket sockets.

3) Use try-except-else in import of ssl in socket.py.  Deprecate use of
   socket.ssl().

4) Remove use of socket.ssl() in every library module, except for
   test_socket_ssl.py and test_ssl.py.
2007-08-29 22:35:05 +00:00
Facundo Batista 1b1c347311 Added an optional timeout to poplib.POP3. Also created a
test_poplib.py file with a basic test and the timeout
ones. Docs are also updated.
2007-03-27 18:23:21 +00:00
Georg Brandl bffb0bc064 In stdlib, use hashlib instead of deprecated md5 and sha modules. 2006-04-30 08:57:35 +00:00
Georg Brandl 2772c679e9 bug [ 1252706 ] poplib list() docstring fix (and docs too) 2005-08-05 21:01:58 +00:00
Walter Dörwald 70a6b49821 Replace backticks with repr() or "%r"
From SF patch #852334.
2004-02-12 17:35:32 +00:00
Martin v. Löwis 48440b7c27 Patch #: Add POP3 over SSL support. 2003-10-31 12:52:35 +00:00
Raymond Hettinger 16e3c427f3 Replace boolean test with is None. 2002-06-01 16:07:16 +00:00
Martin v. Löwis e12454f44a The Grande 'sendall()' patch, copied from release21-maint. Fixes #516715.
Replaces calls to socket.send() (which isn't guaranteed to send all data)
with the new socket.sendall() method.
2002-02-16 23:06:19 +00:00
Fred Drake a16433b14e Re-enabled debugging prints in poplib & documented the set_debuglevel()
method.
This closes SF patch #486079.
2001-12-05 22:37:21 +00:00
Martin v. Löwis 322c0d187d Only close sockets if they have been created. Reported by Blake Winton. 2001-10-07 08:53:32 +00:00
Martin v. Löwis 2ad2569c72 Initialize msg to avoid unbound locals. 2001-07-31 08:40:21 +00:00
Martin v. Löwis 4eb5940a4d Untabify IPv6 changes. 2001-07-26 13:37:33 +00:00
Martin v. Löwis a43c2f845e Patch #401196: Use getaddrinfo and AF_INET6 in TCP servers and clients. 2001-07-24 20:34:08 +00:00
Skip Montanaro c62c81e013 __all__ for several more modules 2001-02-12 02:00:42 +00:00
Eric S. Raymond 341f929f51 String method conversion. 2001-02-09 06:56:56 +00:00
Moshe Zadka ccc2e3d05d OK, checking in patch 103329.
Please check it against your nearest pop server --
mine doesn't support APOP (I checked I'm getting the same error
message, though)
2001-01-19 19:56:27 +00:00
Tim Peters 2344fae6d0 Whitespace normalization. 2001-01-15 00:50:52 +00:00
Thomas Wouters 7e47402264 Spelling fixes supplied by Rob W. W. Hooft. All these are fixes in either
comments, docstrings or error messages. I fixed two minor things in
test_winreg.py ("didn't" -> "Didn't" and "Didnt" -> "Didn't").

There is a minor style issue involved: Guido seems to have preferred English
grammar (behaviour, honour) in a couple places. This patch changes that to
American, which is the more prominent style in the source. I prefer English
myself, so if English is preferred, I'd be happy to supply a patch myself ;)
2000-07-16 12:04:32 +00:00
Guido van Rossum 2a91cd463a Caolan McNamara: properly undo the byte-stuffing of lines starting
with a dot.  [GvR change: only unstuff when line starts with two dots.]
2000-05-09 10:56:00 +00:00
Guido van Rossum 93a7c0fe6b Fredrik Lundh:
This fixes a bunch of socket.connect(host, post) calls.  Note that I
haven't tested all modules -- I don't have enough servers here...
2000-03-28 21:45:46 +00:00
Guido van Rossum 98d9fd3e68 Simple changes by Gerrit Holl - move author acknowledgements out of
docstrings into comments.
2000-02-28 15:12:25 +00:00
Fred Drake 361c048b8f POP3.uidl(): Update docstring based on comments from Piers Lauder
<piers@cs.su.oz.au>.
1999-05-13 18:47:25 +00:00
Guido van Rossum 8d5bef7fb8 There was a confusion in my checkin of the code to support list() with
and without a message number argument: the argument was called 'msg'
but the code expected it to be called 'which'.  In line with the other
methods, I've renamed the argument to 'which', and adapted the doc
string not to refer to 'msg'.
1998-09-14 17:36:51 +00:00
Guido van Rossum f6ae743cb5 Fix suggested by movits@lockstar.com (plus doc string by myself)
for LIST command with msg argument.
1998-09-02 14:42:02 +00:00
Guido van Rossum de23cb0e7e Bug in how an except statement was written (submitted by Piers himself). 1998-08-06 02:59:07 +00:00
Guido van Rossum 03774bb5ea Version with docstrings and some other changes, by Piers Lauder.
(Adapted by Just, I believe.)
1998-04-09 13:50:55 +00:00
Guido van Rossum 484772d472 Dave Ascher's pop client code. 1998-04-06 18:27:27 +00:00