cpython: 4190568ceda0 (original) (raw)

Mercurial > cpython

changeset 85788:4190568ceda0 2.6

- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit line length. Patch by Emil Lind. [#16039]

Barry Warsaw barry@python.org
date	Sun, 22 Sep 2013 16:07:09 -0400
parents	fb3ad8a749c8
children	74eeefc4137f 8b19e7d0be45
files	Lib/imaplib.py Lib/test/test_imaplib.py Misc/NEWS
diffstat	3 files changed, 26 insertions(+), 1 deletions(-)[+] [-] Lib/imaplib.py 14 Lib/test/test_imaplib.py 10 Misc/NEWS 3

line wrap: on

line diff

--- a/Lib/imaplib.py +++ b/Lib/imaplib.py @@ -35,6 +35,15 @@ IMAP4_PORT = 143 IMAP4_SSL_PORT = 993 AllowedVersions = ('IMAP4REV1', 'IMAP4') # Most recent first +# Maximal line length when calling readline(). This is to prevent +# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1) +# don't specify a line length. RFC 2683 however suggests limiting client +# command lines to 1000 octets and server command lines to 8000 octets. +# We have selected 10000 for some extra margin and since that is supposedly +# also what UW and Panda IMAP does. +_MAXLINE = 10000 + +

Commands

Commands = { @@ -237,7 +246,10 @@ class IMAP4: def readline(self): """Read line from remote."""

   return self.file.readline()[](#l1.23)

   line = self.file.readline(_MAXLINE + 1)[](#l1.24)

```
   if len(line) > _MAXLINE:[](#l1.25)
```

       raise self.error("got more than %d bytes" % _MAXLINE) [](#l1.26)

```
   return line[](#l1.27)
```

def send(self, data):

--- a/Lib/test/test_imaplib.py +++ b/Lib/test/test_imaplib.py @@ -176,6 +176,16 @@ class BaseThreadedNetworkedTests(unittes self.assertRaises(imaplib.IMAP4.abort, self.imap_class, *server.server_address)

def test_linetoolong(self):

   class TooLongHandler(TimeoutStreamRequestHandler):[](#l2.8)

```
       def handle(self):[](#l2.9)
```

           # Send a very long response line[](#l2.10)

           self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')[](#l2.11)

   with self.reaped_server(TooLongHandler) as server:[](#l2.13)

       self.assertRaises(imaplib.IMAP4.error,[](#l2.14)

                         self.imap_class, *server.server_address)[](#l2.15)

+ class ThreadedNetworkedTests(BaseThreadedNetworkedTests): server_class = SocketServer.TCPServer

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,9 @@ Core and Builtins Library ------- +- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to

limit line length. Patch by Emil Lind. +

Issue #14984: On POSIX systems, when netrc is called without a filename argument (and therefore is reading the user's $HOME/.netrc file), it now enforces the same security rules as typical ftp clients: the .netrc file must