- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to

limit line length. Patch by Emil Lind.

- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
limit line length. Patch by Emil Lind.
4e95d601 · Barry Warsaw · 9e27eda3 · 4e95d601 · 4e95d601 · 4e95d601
Commit 4e95d601 authored Sep 22, 2013 by Barry Warsaw
Show whitespace changes
Inline Side-by-side

Showing with 26 additions and 1 deletion

Lib/imaplib.py Lib/imaplib.py +13 -1

Lib/test/test_imaplib.py Lib/test/test_imaplib.py +10 -0

Misc/NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@@ -35,6 +35,15 @@ IMAP4_PORT = 143
 IMAP4_SSL_PORT = 993
 AllowedVersions = ('IMAP4REV1', 'IMAP4')        # Most recent first

+# Maximal line length when calling readline(). This is to prevent
+# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1)
+# don't specify a line length. RFC 2683 however suggests limiting client
+# command lines to 1000 octets and server command lines to 8000 octets.
+# We have selected 10000 for some extra margin and since that is supposedly
+# also what UW and Panda IMAP does.
+_MAXLINE = 10000
+
+
 #       Commands

 Commands = {
@@ -237,7 +246,10 @@ class IMAP4:

    def readline(self):
        """Read line from remote."""
-        return self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise self.error("got more than %d bytes" % _MAXLINE) 
+        return line


    def send(self, data):

--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -176,6 +176,16 @@ class BaseThreadedNetworkedTests(unittest.TestCase):
            self.assertRaises(imaplib.IMAP4.abort,
                              self.imap_class, *server.server_address)

+    def test_linetoolong(self):
+        class TooLongHandler(TimeoutStreamRequestHandler):
+            def handle(self):
+                # Send a very long response line
+                self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')
+
+        with self.reaped_server(TooLongHandler) as server:
+            self.assertRaises(imaplib.IMAP4.error,
+                              self.imap_class, *server.server_address)
+
 class ThreadedNetworkedTests(BaseThreadedNetworkedTests):

    server_class = SocketServer.TCPServer

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------

+- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
+  limit line length.  Patch by Emil Lind.
+
 - Issue #14984: On POSIX systems, when netrc is called without a filename
  argument (and therefore is reading the user's $HOME/.netrc file), it now
  enforces the same security rules as typical ftp clients: the .netrc file must