[Python-checkins] bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)
Victor Stinner
webhook-mailer at python.org
Wed Dec 12 06:06:13 EST 2018
https://github.com/python/cpython/commit/16d63202af35dadd652a5e3eae687ea709e95b11
commit: 16d63202af35dadd652a5e3eae687ea709e95b11
branch: 2.7
author: Victor Stinner <vstinner at redhat.com>
committer: GitHub <noreply at github.com>
date: 2018-12-12T12:05:59+01:00
summary:
bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)
* bpo-16039: CVE-2013-1752: Change use of readline() in
imaplib.IMAP4_SSL to limit line length. Remove IMAP4_SSL.readline()
and IMAP4_SSL.read() to inherit safe IMAP4 implementation.
* bpo-20118: reenable test_linetoolong() of test_imaplib
on ThreadedNetworkedTests and ThreadedNetworkedTestsSSL.
The test now sets the _MAXLINE limit to 10 characters.
files:
A Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
M Lib/imaplib.py
M Lib/test/test_imaplib.py
diff --git a/Lib/imaplib.py b/Lib/imaplib.py
index 2e5511e02416..679c468251be 100644
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@@ -1182,16 +1182,6 @@ def open(self, host = '', port = IMAP4_SSL_PORT):
self.file = self.sslobj.makefile('rb')
- def read(self, size):
- """Read 'size' bytes from remote."""
- return self.file.read(size)
-
-
- def readline(self):
- """Read line from remote."""
- return self.file.readline()
-
-
def send(self, data):
"""Send data to remote."""
bytes = len(data)
diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
index 405b7ea8dd70..acaad63b6a3a 100644
--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -166,14 +166,18 @@ def handle(self):
def test_linetoolong(self):
+ maxline = 10
+
class TooLongHandler(SimpleIMAPHandler):
def handle(self):
# Send a very long response line
- self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')
+ self.wfile.write('* OK ' + maxline * 'x' + '\r\n')
- with self.reaped_server(TooLongHandler) as server:
- self.assertRaises(imaplib.IMAP4.error,
- self.imap_class, *server.server_address)
+ with self.reaped_server(TooLongHandler) as server, \
+ support.swap_attr(imaplib, '_MAXLINE', maxline):
+ with self.assertRaisesRegexp(imaplib.IMAP4.error,
+ 'got more than 10 bytes'):
+ self.imap_class(*server.server_address)
class ThreadedNetworkedTests(BaseThreadedNetworkedTests):
@@ -187,9 +191,6 @@ class ThreadedNetworkedTestsSSL(BaseThreadedNetworkedTests):
server_class = SecureTCPServer
imap_class = IMAP4_SSL
- def test_linetoolong(self):
- raise unittest.SkipTest("test is not reliable on 2.7; see issue 20118")
-
class RemoteIMAPTest(unittest.TestCase):
host = 'cyrus.andrew.cmu.edu'
diff --git a/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst b/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
new file mode 100644
index 000000000000..ff9ff47e0805
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
@@ -0,0 +1,2 @@
+CVE-2013-1752: Change use of ``readline()`` in :class:`imaplib.IMAP4_SSL` to
+limit line length.
More information about the Python-checkins
mailing list