- Issue python#16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to

warsaw · warsaw · commit c545a5ebd62b · 2013-09-30T15:56:29.000-04:00
prevent readline() calls from consuming too much member.  Patch by Jyrki
  Pulliainen.
diff --git a/Lib/poplib.py b/Lib/poplib.py
@@ -32,6 +32,12 @@ class error_proto(Exception): pass
 LF = '\n'
 CRLF = CR+LF
 
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+
 
 class POP3:
 
@@ -103,7 +109,10 @@ def _putcmd(self, line):
     # Raise error_proto('-ERR EOF') if the connection is closed.
 
     def _getline(self):
-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise error_proto('line too long')
+
         if self._debugging > 1: print '*get*', repr(line)
         if not line: raise error_proto('-ERR EOF')
         octets = len(line)
@@ -363,7 +372,10 @@ def _getline(self):
             line = ""
             renewline = re.compile(r'.*?\n')
             match = renewline.match(self.buffer)
+
             while not match:
+                if len(self.buffer) > _MAXLINE:
+                    raise error_proto('line too long')
                 self._fillBuffer()
                 match = renewline.match(self.buffer)
             line = match.group(0)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
@@ -1,3 +1,4 @@
+import os
 import socket
 import threading
 import poplib
@@ -21,6 +22,34 @@ def server(evt, serv):
         serv.close()
         evt.set()
 
+
+def evil_server(evt, serv, use_ssl=False):
+    serv.listen(5)
+    try:
+        conn, addr = serv.accept()
+        if use_ssl:
+            conn = ssl.wrap_socket(
+                conn,
+                server_side=True,
+                certfile=CERTFILE,
+            )
+    except socket.timeout:
+        pass
+    else:
+        if use_ssl:
+            try:
+                conn.do_handshake()
+            except ssl.SSLError, err:
+                if err.args[0] not in (ssl.SSL_ERROR_WANT_READ,
+                                       ssl.SSL_ERROR_WANT_WRITE):
+                    raise
+        conn.send("+ Hola mundo" * 1000 + "\n")
+        conn.close()
+    finally:
+        serv.close()
+        evt.set()
+
+
 class GeneralTests(TestCase):
 
     def setUp(self):
@@ -65,8 +94,50 @@ def testTimeoutValue(self):
         pop.sock.close()
 
 
+class EvilServerTests(TestCase):
+    use_ssl = False
+
+    def setUp(self):
+        self.evt = threading.Event()
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.settimeout(3)
+        self.port = test_support.bind_port(self.sock)
+        threading.Thread(
+            target=evil_server,
+            args=(self.evt, self.sock, self.use_ssl)).start()
+        time.sleep(.1)
+
+    def tearDown(self):
+        self.evt.wait()
+
+    def testTooLongLines(self):
+        self.assertRaises(poplib.error_proto, poplib.POP3,
+                          'localhost', self.port, timeout=30)
+
+
+SUPPORTS_SSL = False
+
+if hasattr(poplib, 'POP3_SSL'):
+    import ssl
+
+    SUPPORTS_SSL = True
+    CERTFILE = os.path.join(os.path.dirname(__file__) or os.curdir,
+                            "keycert.pem")
+
+    class EvilSSLServerTests(EvilServerTests):
+        use_ssl = True
+
+        def testTooLongLines(self):
+            self.assertRaises(poplib.error_proto, poplib.POP3_SSL,
+                              'localhost', self.port)
+
+
 def test_main(verbose=None):
     test_support.run_unittest(GeneralTests)
+    test_support.run_unittest(EvilServerTests)
+
+    if SUPPORTS_SSL:
+        test_support.run_unittest(EvilSSLServerTests)
 
 if __name__ == '__main__':
     test_main()
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -13,15 +13,22 @@ Core and Builtins
 Library
 -------
 
-- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more
-  than 100 headers are read.  Adapted from patch by Jyrki Pulliainen.
+- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
+  limiting the call to readline().  Original patch by Christian Heimes.
+
+- Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
+  prevent readline() calls from consuming too much member.  Patch by Jyrki
+  Pulliainen.
+
+- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
+  limit line length.  Patch by Emil Lind.
 
 - Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by
   limiting the call to readline().  Original patch by Michał
   Jastrzębski and Giampaolo Rodola.
 
-- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
-  limit line length.  Patch by Emil Lind.
+- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more
+  than 100 headers are read.  Adapted from patch by Jyrki Pulliainen.
 
 - Issue #14984: On POSIX systems, when netrc is called without a filename
   argument (and therefore is reading the user's $HOME/.netrc file), it now
@@ -32,8 +39,6 @@ Library
 - Issue #16248: Disable code execution from the user's home directory by
   tkinter when the -E flag is passed to Python.  Patch by Zachary Ware.
 
-- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
-  limiting the call to readline().  Original patch by Christian Heimes.
 
 Extension Modules
 -----------------
