Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by

serhiy-storchaka · serhiy-storchaka · commit 2acc456c3344 · 2013-10-20T17:02:10.000+03:00
limiting the call to readline().  Original patch by Michał
Jastrzębski and Giampaolo Rodola.
diff --git a/Lib/ftplib.py b/Lib/ftplib.py
@@ -50,6 +50,8 @@
 
 # The standard FTP server control port
 FTP_PORT = 21
+# The sizehint parameter passed to readline() calls
+MAXLINE = 8192
 
 
 # Exception raised when an error or invalid response is received
@@ -97,6 +99,7 @@ class FTP:
     debugging = 0
     host = ''
     port = FTP_PORT
+    maxline = MAXLINE
     sock = None
     file = None
     welcome = None
@@ -197,7 +200,9 @@ def putcmd(self, line):
     # Internal: return one line from the server, stripping CRLF.
     # Raise EOFError if the connection is closed
     def getline(self):
-        line = self.file.readline()
+        line = self.file.readline(self.maxline + 1)
+        if len(line) > self.maxline:
+            raise Error("got more than %d bytes" % self.maxline)
         if self.debugging > 1:
             print('*get*', self.sanitize(line))
         if not line:
@@ -463,7 +468,9 @@ def retrlines(self, cmd, callback = None):
         with self.transfercmd(cmd) as conn, \
                  conn.makefile('r', encoding=self.encoding) as fp:
             while 1:
-                line = fp.readline()
+                line = fp.readline(self.maxline + 1)
+                if len(line) > self.maxline:
+                    raise Error("got more than %d bytes" % self.maxline)
                 if self.debugging > 2:
                     print('*retr*', repr(line))
                 if not line:
@@ -522,7 +529,9 @@ def storlines(self, cmd, fp, callback=None):
         self.voidcmd('TYPE A')
         with self.transfercmd(cmd) as conn:
             while 1:
-                buf = fp.readline()
+                buf = fp.readline(self.maxline + 1)
+                if len(buf) > self.maxline:
+                    raise Error("got more than %d bytes" % self.maxline)
                 if not buf:
                     break
                 if buf[-2:] != B_CRLF:
diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
@@ -92,6 +92,7 @@ def __init__(self, conn):
         self.next_response = ''
         self.next_data = None
         self.rest = None
+        self.next_retr_data = RETR_DATA
         self.push('220 welcome')
 
     def collect_incoming_data(self, data):
@@ -221,7 +222,7 @@ def cmd_retr(self, arg):
             offset = int(self.rest)
         else:
             offset = 0
-        self.dtp.push(RETR_DATA[offset:])
+        self.dtp.push(self.next_retr_data[offset:])
         self.dtp.close_when_done()
         self.rest = None
 
@@ -243,6 +244,11 @@ def cmd_mlsd(self, arg):
         self.dtp.push(MLSD_DATA)
         self.dtp.close_when_done()
 
+    def cmd_setlongretr(self, arg):
+        # For testing. Next RETR will return long line.
+        self.next_retr_data = 'x' * int(arg)
+        self.push('125 setlongretr ok')
+
 
 class DummyFTPServer(asyncore.dispatcher, threading.Thread):
 
@@ -759,6 +765,20 @@ def test_parse257(self):
         self.assertEqual(ftplib.parse257('257 "/foo/b""ar"'), '/foo/b"ar')
         self.assertEqual(ftplib.parse257('257 "/foo/b""ar" created'), '/foo/b"ar')
 
+    def test_line_too_long(self):
+        self.assertRaises(ftplib.Error, self.client.sendcmd,
+                          'x' * self.client.maxline * 2)
+
+    def test_retrlines_too_long(self):
+        self.client.sendcmd('SETLONGRETR %d' % (self.client.maxline * 2))
+        received = []
+        self.assertRaises(ftplib.Error,
+                          self.client.retrlines, 'retr', received.append)
+
+    def test_storlines_too_long(self):
+        f = io.BytesIO(b'x' * self.client.maxline * 2)
+        self.assertRaises(ftplib.Error, self.client.storlines, 'stor', f)
+
 
 class TestIPv6Environment(TestCase):
 
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -62,6 +62,10 @@ Core and Builtins
 Library
 -------
 
+- Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
+  limiting the call to readline().  Original patch by Michał
+  Jastrzębski and Giampaolo Rodola.
+
 - Issue #17087: Improved the repr for regular expression match objects.
 
 - Issue #18235: Fix the sysconfig variables LDSHARED and BLDSHARED under AIX.
