bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)

* bpo-16039: CVE-2013-1752: Change use of readline() in imaplib.IMAP4_SSL to limit line length. Remove IMAP4_SSL.readline() and IMAP4_SSL.read() to inherit safe IMAP4 implementation. * bpo-20118: reenable test_linetoolong() of test_imaplib on ThreadedNetworkedTests and ThreadedNetworkedTestsSSL. The test now sets the _MAXLINE limit to 10 characters.

bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)
* bpo-16039: CVE-2013-1752: Change use of readline() in imaplib.IMAP4_SSL to limit line length. Remove IMAP4_SSL.readline() and IMAP4_SSL.read() to inherit safe IMAP4 implementation. * bpo-20118: reenable test_linetoolong() of test_imaplib on ThreadedNetworkedTests and ThreadedNetworkedTestsSSL. The test now sets the _MAXLINE limit to 10 characters.
16d63202 · Victor Stinner · GitHub · d336b1c8 · 16d63202 · 16d63202
Commit 16d63202 authored Dec 12, 2018 by Victor Stinner Committed by GitHub Dec 12, 2018
3 changed files
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@@ -1182,16 +1182,6 @@ else:
            self.file = self.sslobj.makefile('rb')


-        def read(self, size):
-            """Read 'size' bytes from remote."""
-            return self.file.read(size)
-
-
-        def readline(self):
-            """Read line from remote."""
-            return self.file.readline()
-
-
        def send(self, data):
            """Send data to remote."""
            bytes = len(data)

--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -166,14 +166,18 @@ class BaseThreadedNetworkedTests(unittest.TestCase):


    def test_linetoolong(self):
+        maxline = 10
+
        class TooLongHandler(SimpleIMAPHandler):
            def handle(self):
                # Send a very long response line
-                self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')
+                self.wfile.write('* OK ' + maxline * 'x' + '\r\n')

-        with self.reaped_server(TooLongHandler) as server:
-            self.assertRaises(imaplib.IMAP4.error,
-                              self.imap_class, *server.server_address)
+        with self.reaped_server(TooLongHandler) as server, \
+                 support.swap_attr(imaplib, '_MAXLINE', maxline):
+            with self.assertRaisesRegexp(imaplib.IMAP4.error,
+                    'got more than 10 bytes'):
+                self.imap_class(*server.server_address)

 class ThreadedNetworkedTests(BaseThreadedNetworkedTests):

@@ -187,9 +191,6 @@ class ThreadedNetworkedTestsSSL(BaseThreadedNetworkedTests):
    server_class = SecureTCPServer
    imap_class = IMAP4_SSL

-    def test_linetoolong(self):
-        raise unittest.SkipTest("test is not reliable on 2.7; see issue 20118")
-

 class RemoteIMAPTest(unittest.TestCase):
    host = 'cyrus.andrew.cmu.edu'

--- a/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
+++ b/Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst
+CVE-2013-1752: Change use of ``readline()`` in :class:`imaplib.IMAP4_SSL` to
+limit line length.