Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
cpython
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
cpython
Commits
ccfd94d7
Commit
ccfd94d7
authored
Sep 30, 2014
by
Georg Brandl
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
line length. Patch by Emil Lind.
parent
62970ea5
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
27 additions
and
1 deletion
+27
-1
Lib/imaplib.py
Lib/imaplib.py
+13
-1
Lib/test/test_imaplib.py
Lib/test/test_imaplib.py
+11
-0
Misc/NEWS
Misc/NEWS
+3
-0
No files found.
Lib/imaplib.py
View file @
ccfd94d7
...
@@ -42,6 +42,15 @@ IMAP4_PORT = 143
...
@@ -42,6 +42,15 @@ IMAP4_PORT = 143
IMAP4_SSL_PORT
=
993
IMAP4_SSL_PORT
=
993
AllowedVersions
=
(
'IMAP4REV1'
,
'IMAP4'
)
# Most recent first
AllowedVersions
=
(
'IMAP4REV1'
,
'IMAP4'
)
# Most recent first
# Maximal line length when calling readline(). This is to prevent
# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1)
# don't specify a line length. RFC 2683 however suggests limiting client
# command lines to 1000 octets and server command lines to 8000 octets.
# We have selected 10000 for some extra margin and since that is supposedly
# also what UW and Panda IMAP does.
_MAXLINE
=
10000
# Commands
# Commands
Commands
=
{
Commands
=
{
...
@@ -263,7 +272,10 @@ class IMAP4:
...
@@ -263,7 +272,10 @@ class IMAP4:
def
readline
(
self
):
def
readline
(
self
):
"""Read line from remote."""
"""Read line from remote."""
return
self
.
file
.
readline
()
line
=
self
.
file
.
readline
(
_MAXLINE
+
1
)
if
len
(
line
)
>
_MAXLINE
:
raise
self
.
error
(
"got more than %d bytes"
%
_MAXLINE
)
return
line
def
send
(
self
,
data
):
def
send
(
self
,
data
):
...
...
Lib/test/test_imaplib.py
View file @
ccfd94d7
...
@@ -309,6 +309,17 @@ class BaseThreadedNetworkedTests(unittest.TestCase):
...
@@ -309,6 +309,17 @@ class BaseThreadedNetworkedTests(unittest.TestCase):
self
.
assertEqual
(
ret
,
"OK"
)
self
.
assertEqual
(
ret
,
"OK"
)
def
test_linetoolong
(
self
):
class
TooLongHandler
(
SimpleIMAPHandler
):
def
handle
(
self
):
# Send a very long response line
self
.
wfile
.
write
(
b'* OK '
+
imaplib
.
_MAXLINE
*
b'x'
+
b'
\
r
\
n
'
)
with
self
.
reaped_server
(
TooLongHandler
)
as
server
:
self
.
assertRaises
(
imaplib
.
IMAP4
.
error
,
self
.
imap_class
,
*
server
.
server_address
)
class
ThreadedNetworkedTests
(
BaseThreadedNetworkedTests
):
class
ThreadedNetworkedTests
(
BaseThreadedNetworkedTests
):
server_class
=
socketserver
.
TCPServer
server_class
=
socketserver
.
TCPServer
...
...
Misc/NEWS
View file @
ccfd94d7
...
@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
...
@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
Library
Library
-------
-------
- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
line length. Patch by Emil Lind.
- Issue #22421: Fix a regression that caused the pydoc server to be bound to
- Issue #22421: Fix a regression that caused the pydoc server to be bound to
all interfaces instead of only localhost.
all interfaces instead of only localhost.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment