cpython: 5d1c03316af7 (original) (raw)

Mercurial > cpython

changeset 92669:5d1c03316af7 3.2

Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit line length. Patch by Emil Lind. [#16039]

Georg Brandl georg@python.org
date	Tue, 30 Sep 2014 16:00:09 +0200
parents	02dae04b3e2b
children	97c329849ef3
files	Lib/imaplib.py Lib/test/test_imaplib.py Misc/NEWS
diffstat	3 files changed, 27 insertions(+), 1 deletions(-)[+] [-] Lib/imaplib.py 14 Lib/test/test_imaplib.py 11 Misc/NEWS 3

line wrap: on

line diff

--- a/Lib/imaplib.py +++ b/Lib/imaplib.py @@ -42,6 +42,15 @@ IMAP4_PORT = 143 IMAP4_SSL_PORT = 993 AllowedVersions = ('IMAP4REV1', 'IMAP4') # Most recent first +# Maximal line length when calling readline(). This is to prevent +# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1) +# don't specify a line length. RFC 2683 however suggests limiting client +# command lines to 1000 octets and server command lines to 8000 octets. +# We have selected 10000 for some extra margin and since that is supposedly +# also what UW and Panda IMAP does. +_MAXLINE = 10000 + +

Commands

Commands = { @@ -263,7 +272,10 @@ class IMAP4: def readline(self): """Read line from remote."""

   return self.file.readline()[](#l1.23)

   line = self.file.readline(_MAXLINE + 1)[](#l1.24)

```
   if len(line) > _MAXLINE:[](#l1.25)
```

       raise self.error("got more than %d bytes" % _MAXLINE)[](#l1.26)

```
   return line[](#l1.27)
```

def send(self, data):

--- a/Lib/test/test_imaplib.py +++ b/Lib/test/test_imaplib.py @@ -309,6 +309,17 @@ class BaseThreadedNetworkedTests(unittes self.assertEqual(ret, "OK")

def test_linetoolong(self):

   class TooLongHandler(SimpleIMAPHandler):[](#l2.8)

```
       def handle(self):[](#l2.9)
```

           # Send a very long response line[](#l2.10)

           self.wfile.write(b'* OK ' + imaplib._MAXLINE*b'x' + b'\r\n')[](#l2.11)

   with self.reaped_server(TooLongHandler) as server:[](#l2.13)

       self.assertRaises(imaplib.IMAP4.error,[](#l2.14)

                         self.imap_class, *server.server_address)[](#l2.15)

+ + class ThreadedNetworkedTests(BaseThreadedNetworkedTests): server_class = socketserver.TCPServer

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -10,6 +10,9 @@ What's New in Python 3.2.6? Library ------- +- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit

line length. Patch by Emil Lind. +

Issue #22421: Fix a regression that caused the pydoc server to be bound to all interfaces instead of only localhost.