diff options
author | Victor Stinner <vstinner@redhat.com> | 2018-12-12 12:05:59 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-12-12 12:05:59 +0100 |
commit | 16d63202af35dadd652a5e3eae687ea709e95b11 (patch) | |
tree | ba5751e2c575a0709e8d010d3d881abdf5a98291 | |
parent | d336b1c8a40d14054145393fafb54b782cc1a549 (diff) | |
download | cpython-git-16d63202af35dadd652a5e3eae687ea709e95b11.tar.gz |
bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)
* bpo-16039: CVE-2013-1752: Change use of readline() in
imaplib.IMAP4_SSL to limit line length. Remove IMAP4_SSL.readline()
and IMAP4_SSL.read() to inherit safe IMAP4 implementation.
* bpo-20118: reenable test_linetoolong() of test_imaplib
on ThreadedNetworkedTests and ThreadedNetworkedTestsSSL.
The test now sets the _MAXLINE limit to 10 characters.
-rw-r--r-- | Lib/imaplib.py | 10 | ||||
-rw-r--r-- | Lib/test/test_imaplib.py | 15 | ||||
-rw-r--r-- | Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst | 2 |
3 files changed, 10 insertions, 17 deletions
diff --git a/Lib/imaplib.py b/Lib/imaplib.py index 2e5511e024..679c468251 100644 --- a/Lib/imaplib.py +++ b/Lib/imaplib.py @@ -1182,16 +1182,6 @@ else: self.file = self.sslobj.makefile('rb') - def read(self, size): - """Read 'size' bytes from remote.""" - return self.file.read(size) - - - def readline(self): - """Read line from remote.""" - return self.file.readline() - - def send(self, data): """Send data to remote.""" bytes = len(data) diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py index 405b7ea8dd..acaad63b6a 100644 --- a/Lib/test/test_imaplib.py +++ b/Lib/test/test_imaplib.py @@ -166,14 +166,18 @@ class BaseThreadedNetworkedTests(unittest.TestCase): def test_linetoolong(self): + maxline = 10 + class TooLongHandler(SimpleIMAPHandler): def handle(self): # Send a very long response line - self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n') + self.wfile.write('* OK ' + maxline * 'x' + '\r\n') - with self.reaped_server(TooLongHandler) as server: - self.assertRaises(imaplib.IMAP4.error, - self.imap_class, *server.server_address) + with self.reaped_server(TooLongHandler) as server, \ + support.swap_attr(imaplib, '_MAXLINE', maxline): + with self.assertRaisesRegexp(imaplib.IMAP4.error, + 'got more than 10 bytes'): + self.imap_class(*server.server_address) class ThreadedNetworkedTests(BaseThreadedNetworkedTests): @@ -187,9 +191,6 @@ class ThreadedNetworkedTestsSSL(BaseThreadedNetworkedTests): server_class = SecureTCPServer imap_class = IMAP4_SSL - def test_linetoolong(self): - raise unittest.SkipTest("test is not reliable on 2.7; see issue 20118") - class RemoteIMAPTest(unittest.TestCase): host = 'cyrus.andrew.cmu.edu' diff --git a/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst b/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst new file mode 100644 index 0000000000..ff9ff47e08 --- /dev/null +++ b/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst @@ -0,0 +1,2 @@ +CVE-2013-1752: Change use of ``readline()`` in :class:`imaplib.IMAP4_SSL` to +limit line length. |