[Python-checkins] cpython (2.7): closes 16039: CVE-2013-1752: limit line length in imaplib readline calls.

r.david.murray python-checkins at python.org
Fri Jan 3 20:00:28 CET 2014 

http://hg.python.org/cpython/rev/dd906f4ab923
changeset:   88280:dd906f4ab923
branch:      2.7
parent:      88260:69b5f6924553
user:        R David Murray <rdmurray at bitdance.com>
date:        Fri Jan 03 13:59:22 2014 -0500
summary:
  closes 16039: CVE-2013-1752: limit line length in imaplib readline calls.

files:
  Lib/imaplib.py           |  14 +++++++++++++-
  Lib/test/test_imaplib.py |  10 ++++++++++
  Misc/NEWS                |   3 +++
  3 files changed, 26 insertions(+), 1 deletions(-)


diff --git a/Lib/imaplib.py b/Lib/imaplib.py
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@@ -35,6 +35,15 @@
 IMAP4_SSL_PORT = 993
 AllowedVersions = ('IMAP4REV1', 'IMAP4')        # Most recent first
 
+# Maximal line length when calling readline(). This is to prevent
+# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1)
+# don't specify a line length. RFC 2683 however suggests limiting client
+# command lines to 1000 octets and server command lines to 8000 octets.
+# We have selected 10000 for some extra margin and since that is supposedly
+# also what UW and Panda IMAP does.
+_MAXLINE = 10000
+
+
 #       Commands
 
 Commands = {
@@ -237,7 +246,10 @@
 
     def readline(self):
         """Read line from remote."""
-        return self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise self.error("got more than %d bytes" % _MAXLINE)
+        return line
 
 
     def send(self, data):
diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -165,6 +165,16 @@
                               self.imap_class, *server.server_address)
 
 
+    def test_linetoolong(self):
+        class TooLongHandler(SimpleIMAPHandler):
+            def handle(self):
+                # Send a very long response line
+                self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')
+
+        with self.reaped_server(TooLongHandler) as server:
+            self.assertRaises(imaplib.IMAP4.error,
+                              self.imap_class, *server.server_address)
+
 class ThreadedNetworkedTests(BaseThreadedNetworkedTests):
 
     server_class = SocketServer.TCPServer
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -30,6 +30,9 @@
 Library
 -------
 
+- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
+  limit line length.  Patch by Emil Lind.
+
 - Issue #19422: Explicitly disallow non-SOCK_STREAM sockets in the ssl
   module, rather than silently let them emit clear text data.
 

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list