[Python-checkins] bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)

Victor Stinner webhook-mailer at python.org
Wed Dec 12 06:06:13 EST 2018 

https://github.com/python/cpython/commit/16d63202af35dadd652a5e3eae687ea709e95b11
commit: 16d63202af35dadd652a5e3eae687ea709e95b11
branch: 2.7
author: Victor Stinner <vstinner at redhat.com>
committer: GitHub <noreply at github.com>
date: 2018-12-12T12:05:59+01:00
summary:

bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)

* bpo-16039: CVE-2013-1752: Change use of readline() in
  imaplib.IMAP4_SSL to limit line length. Remove IMAP4_SSL.readline()
  and IMAP4_SSL.read() to inherit safe IMAP4 implementation.
* bpo-20118: reenable test_linetoolong() of test_imaplib
  on ThreadedNetworkedTests and ThreadedNetworkedTestsSSL.
  The test now sets the _MAXLINE limit to 10 characters.

files:
A Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
M Lib/imaplib.py
M Lib/test/test_imaplib.py

diff --git a/Lib/imaplib.py b/Lib/imaplib.py
index 2e5511e02416..679c468251be 100644
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@@ -1182,16 +1182,6 @@ def open(self, host = '', port = IMAP4_SSL_PORT):
             self.file = self.sslobj.makefile('rb')
 
 
-        def read(self, size):
-            """Read 'size' bytes from remote."""
-            return self.file.read(size)
-
-
-        def readline(self):
-            """Read line from remote."""
-            return self.file.readline()
-
-
         def send(self, data):
             """Send data to remote."""
             bytes = len(data)
diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
index 405b7ea8dd70..acaad63b6a3a 100644
--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -166,14 +166,18 @@ def handle(self):
 
 
     def test_linetoolong(self):
+        maxline = 10
+
         class TooLongHandler(SimpleIMAPHandler):
             def handle(self):
                 # Send a very long response line
-                self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')
+                self.wfile.write('* OK ' + maxline * 'x' + '\r\n')
 
-        with self.reaped_server(TooLongHandler) as server:
-            self.assertRaises(imaplib.IMAP4.error,
-                              self.imap_class, *server.server_address)
+        with self.reaped_server(TooLongHandler) as server, \
+                 support.swap_attr(imaplib, '_MAXLINE', maxline):
+            with self.assertRaisesRegexp(imaplib.IMAP4.error,
+                    'got more than 10 bytes'):
+                self.imap_class(*server.server_address)
 
 class ThreadedNetworkedTests(BaseThreadedNetworkedTests):
 
@@ -187,9 +191,6 @@ class ThreadedNetworkedTestsSSL(BaseThreadedNetworkedTests):
     server_class = SecureTCPServer
     imap_class = IMAP4_SSL
 
-    def test_linetoolong(self):
-        raise unittest.SkipTest("test is not reliable on 2.7; see issue 20118")
-
 
 class RemoteIMAPTest(unittest.TestCase):
     host = 'cyrus.andrew.cmu.edu'
diff --git a/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst b/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
new file mode 100644
index 000000000000..ff9ff47e0805
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
@@ -0,0 +1,2 @@
+CVE-2013-1752: Change use of ``readline()`` in :class:`imaplib.IMAP4_SSL` to
+limit line length.

More information about the Python-checkins mailing list