in poplib, limit maximum line length that we read from the network (closes #16041)

Patch from Berker Peksag.
author: Benjamin Peterson <benjamin@python.org> 2014-12-05 20:02:38 -0500
committer: Benjamin Peterson <benjamin@python.org> 2014-12-05 20:02:38 -0500
commit: 3a424e175911aa2856ca0c4b76d2ab616ef0b20e (patch)
tree: b6866911c6bcde9780445678ee4d7aea1844b50f
parent: add1c8601a6e425230137be72b4d2749cbafecbb (diff)
download: cpython-3a424e175911aa2856ca0c4b76d2ab616ef0b20e.tar.gz
3 files changed, 18 insertions, 1 deletions
diff --git a/Lib/poplib.py b/Lib/poplib.py
index dc7cbdf062..b91e5f72d2 100644
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -32,6 +32,12 @@ CR = '\r'
 LF = '\n'
 CRLF = CR+LF
 
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary length lines. RFC 1939 limits POP3 line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+
 
 class POP3:
 
@@ -103,7 +109,9 @@ class POP3:
     # Raise error_proto('-ERR EOF') if the connection is closed.
 
     def _getline(self):
-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise error_proto('line too long')
         if self._debugging > 1: print '*get*', repr(line)
         if not line: raise error_proto('-ERR EOF')
         octets = len(line)
@@ -365,6 +373,8 @@ else:
             match = renewline.match(self.buffer)
             while not match:
                 self._fillBuffer()
+                if len(self.buffer) > _MAXLINE:
+                    raise error_proto('line too long')
                 match = renewline.match(self.buffer)
             line = match.group(0)
             self.buffer = renewline.sub('' ,self.buffer, 1)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index af48fdd4f3..23d688724b 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -198,6 +198,10 @@ class TestPOP3Class(TestCase):
                     113)
         self.assertEqual(self.client.retr('foo'), expected)
 
+    def test_too_long_lines(self):
+        self.assertRaises(poplib.error_proto, self.client._shortcmd,
+                          'echo +%s' % ((poplib._MAXLINE + 10) * 'a'))
+
     def test_dele(self):
         self.assertOK(self.client.dele('foo'))
 
diff --git a/Misc/NEWS b/Misc/NEWS
index 01f23ef617..cee5b85867 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 2.7.9?
 Library
 -------
 
+- Issue #16041: In poplib, limit maximum line length read from the server to
+  prevent CVE-2013-1752.
+
 - Issue #22960: Add a context argument to xmlrpclib.ServerProxy.
author	Benjamin Peterson <benjamin@python.org>	2014-12-05 20:02:38 -0500
committer	Benjamin Peterson <benjamin@python.org>	2014-12-05 20:02:38 -0500
commit	3a424e175911aa2856ca0c4b76d2ab616ef0b20e (patch)
tree	b6866911c6bcde9780445678ee4d7aea1844b50f
parent	add1c8601a6e425230137be72b4d2749cbafecbb (diff)
download	cpython-3a424e175911aa2856ca0c4b76d2ab616ef0b20e.tar.gz