cpython: 7214e3324a45 (original) (raw)

Mercurial > cpython

changeset 85889:7214e3324a45 2.6

- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to prevent readline() calls from consuming too much member. Patch by Jyrki Pulliainen. [#16041]

Barry Warsaw barry@python.org
date	Mon, 30 Sep 2013 15:56:29 -0400
parents	582e5072ff89
children	39dbcc92b6c0 3f09756916ce
files	Lib/poplib.py Lib/test/test_poplib.py Misc/NEWS
diffstat	3 files changed, 95 insertions(+), 7 deletions(-)[+] [-] Lib/poplib.py 14 Lib/test/test_poplib.py 71 Misc/NEWS 17

line wrap: on

line diff

--- a/Lib/poplib.py +++ b/Lib/poplib.py @@ -32,6 +32,12 @@ CR = '\r' LF = '\n' CRLF = CR+LF +# maximal line length when calling readline(). This is to prevent +# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to +# 512 characters, including CRLF. We have selected 2048 just to be on +# the safe side. +_MAXLINE = 2048 + class POP3: @@ -103,7 +109,10 @@ class POP3: # Raise error_proto('-ERR EOF') if the connection is closed. def _getline(self):

   line = self.file.readline()[](#l1.20)

   line = self.file.readline(_MAXLINE + 1)[](#l1.21)

```
   if len(line) > _MAXLINE:[](#l1.22)
```

       raise error_proto('line too long')[](#l1.23)

+ if self._debugging > 1: print 'get', repr(line) if not line: raise error_proto('-ERR EOF') octets = len(line) @@ -363,7 +372,10 @@ else: line = "" renewline = re.compile(r'.*?\n') match = renewline.match(self.buffer) + while not match:

           if len(self.buffer) > _MAXLINE:[](#l1.34)

               raise error_proto('line too long')[](#l1.35)
           self._fillBuffer()[](#l1.36)
           match = renewline.match(self.buffer)[](#l1.37)
       line = match.group(0)[](#l1.38)

--- a/Lib/test/test_poplib.py +++ b/Lib/test/test_poplib.py @@ -1,3 +1,4 @@ +import os import socket import threading import poplib @@ -21,6 +22,34 @@ def server(evt, serv): serv.close() evt.set() + +def evil_server(evt, serv, use_ssl=False):

serv.listen(5)
try:
```
   conn, addr = serv.accept()[](#l2.16)
```
```
   if use_ssl:[](#l2.17)
```

       conn = ssl.wrap_socket([](#l2.18)

```
           conn,[](#l2.19)
```
```
           server_side=True,[](#l2.20)
```
```
           certfile=CERTFILE,[](#l2.21)
```
```
       )[](#l2.22)
```
except socket.timeout:
```
   pass[](#l2.24)
```
else:
```
   if use_ssl:[](#l2.26)
```
```
       try:[](#l2.27)
```

           conn.do_handshake()[](#l2.28)

       except ssl.SSLError, err:[](#l2.29)

           if err.args[0] not in (ssl.SSL_ERROR_WANT_READ,[](#l2.30)

                                  ssl.SSL_ERROR_WANT_WRITE):[](#l2.31)

```
               raise[](#l2.32)
```

   conn.send("+ Hola mundo" * 1000 + "\n")[](#l2.33)

```
   conn.close()[](#l2.34)
```
finally:
```
   serv.close()[](#l2.36)
```
```
   evt.set()[](#l2.37)
```

+ + class GeneralTests(TestCase): def setUp(self): @@ -65,8 +94,50 @@ class GeneralTests(TestCase): pop.sock.close() +class EvilServerTests(TestCase):

use_ssl = False

def setUp(self):

   self.evt = threading.Event()[](#l2.51)

   self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)[](#l2.52)

```
   self.sock.settimeout(3)[](#l2.53)
```

   self.port = test_support.bind_port(self.sock)[](#l2.54)

```
   threading.Thread([](#l2.55)
```
```
       target=evil_server,[](#l2.56)
```

       args=(self.evt, self.sock, self.use_ssl)).start()[](#l2.57)

```
   time.sleep(.1)[](#l2.58)
```

def tearDown(self):
```
   self.evt.wait()[](#l2.61)
```

def testTooLongLines(self):

   self.assertRaises(poplib.error_proto, poplib.POP3,[](#l2.64)

                     'localhost', self.port, timeout=30)[](#l2.65)

+ + +SUPPORTS_SSL = False + +if hasattr(poplib, 'POP3_SSL'):

import ssl

SUPPORTS_SSL = True
CERTFILE = os.path.join(os.path.dirname(file) or os.curdir,

                       "keycert.pem")[](#l2.75)

class EvilSSLServerTests(EvilServerTests):
```
   use_ssl = True[](#l2.78)
```

   def testTooLongLines(self):[](#l2.80)

       self.assertRaises(poplib.error_proto, poplib.POP3_SSL,[](#l2.81)

                         'localhost', self.port)[](#l2.82)

+ + def test_main(verbose=None): test_support.run_unittest(GeneralTests)

test_support.run_unittest(EvilServerTests)

if SUPPORTS_SSL:

   test_support.run_unittest(EvilSSLServerTests)[](#l2.90)

if name == 'main': test_main()

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,15 +13,22 @@ Core and Builtins Library ------- -- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more

than 100 headers are read. Adapted from patch by Jyrki Pulliainen. +- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by

limiting the call to readline(). Original patch by Christian Heimes. + +- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much member. Patch by Jyrki
Pulliainen. + +- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
limit line length. Patch by Emil Lind.

Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by limiting the call to readline(). Original patch by Michał Jastrzębski and Giampaolo Rodola. -- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
limit line length. Patch by Emil Lind. +- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more

than 100 headers are read. Adapted from patch by Jyrki Pulliainen.

Issue #14984: On POSIX systems, when netrc is called without a filename argument (and therefore is reading the user's $HOME/.netrc file), it now @@ -32,8 +39,6 @@ Library
Issue #16248: Disable code execution from the user's home directory by tkinter when the -E flag is passed to Python. Patch by Zachary Ware. -- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
limiting the call to readline(). Original patch by Christian Heimes. Extension Modules -----------------