[Python-checkins] cpython (3.2): #16040: fix unlimited read from connection in nntplib.

Sun Oct 12 09:17:08 CEST 2014

https://hg.python.org/cpython/rev/985bda4edf9d
changeset:   92973:985bda4edf9d
branch:      3.2
parent:      92803:4f314dedb84f
user:        Georg Brandl <georg at python.org>
date:        Sun Oct 12 08:50:11 2014 +0200
summary:
  #16040: fix unlimited read from connection in nntplib.

files:
  Lib/nntplib.py           |  11 ++++++++++-
  Lib/test/test_nntplib.py |  10 ++++++++++
  Misc/NEWS                |   4 ++++
  3 files changed, 24 insertions(+), 1 deletions(-)

diff --git a/Lib/nntplib.py b/Lib/nntplib.py
--- a/Lib/nntplib.py
+++ b/Lib/nntplib.py
@@ -85,6 +85,13 @@
            "decode_header",
            ]
 
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 3977 limits NNTP line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+
+
 # Exceptions raised when an error or invalid response is received
 class NNTPError(Exception):
     """Base class for all nntplib exceptions"""
@@ -410,7 +417,9 @@
         """Internal: return one line from the server, stripping _CRLF.
         Raise EOFError if the connection is closed.
         Returns a bytes object."""
-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE +1)
+        if len(line) > _MAXLINE:
+            raise NNTPDataError('line too long')
         if self.debugging > 1:
             print('*get*', repr(line))
         if not line: raise EOFError
diff --git a/Lib/test/test_nntplib.py b/Lib/test/test_nntplib.py
--- a/Lib/test/test_nntplib.py
+++ b/Lib/test/test_nntplib.py
@@ -563,6 +563,11 @@
                 <a4929a40-6328-491a-aaaf-cb79ed7309a2 at q2g2000vbk.googlegroups.com>
                 <f30c0419-f549-4218-848f-d7d0131da931 at y3g2000vbm.googlegroups.com>
                 .""")
+        elif (group == 'comp.lang.python' and
+              date_str in ('20100101', '100101') and
+              time_str == '090000'):
+            self.push_lit('too long line' * 3000 +
+                          '\n.')
         else:
             self.push_lit("""\
                 230 An empty list of newsarticles follows
@@ -1158,6 +1163,11 @@
         self.assertEqual(cm.exception.response,
                          "435 Article not wanted")
 
+    def test_too_long_lines(self):
+        dt = datetime.datetime(2010, 1, 1, 9, 0, 0)
+        self.assertRaises(nntplib.NNTPDataError,
+                          self.server.newnews, "comp.lang.python", dt)
+
 
 class NNTPv1Tests(NNTPv1v2TestsMixin, MockedNNTPTestsMixin, unittest.TestCase):
     """Tests an NNTP v1 server (no capabilities)."""
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,10 @@
 Library
 -------
 
+- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
+  prevent readline() calls from consuming too much memory.  Patch by Jyrki
+  Pulliainen.
+
 - Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
   line length.  Patch by Emil Lind.
 

-- 
Repository URL: https://hg.python.org/cpython
