Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to

prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen.

Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen.
e81b7702 · Georg Brandl · 3ba75186 · e81b7702 · e81b7702 · e81b7702
Commit e81b7702 authored Oct 27, 2013 by Georg Brandl
Show whitespace changes
Inline Side-by-side

Showing with 24 additions and 1 deletion

Lib/nntplib.py Lib/nntplib.py +10 -1

Lib/test/test_nntplib.py Lib/test/test_nntplib.py +10 -0

Misc/NEWS Misc/NEWS +4 -0

No files found.
--- a/Lib/nntplib.py
+++ b/Lib/nntplib.py
@@ -85,6 +85,13 @@ __all__ = ["NNTP",
           "decode_header",
           ]
+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 3977 limits NNTP line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
 # Exceptions raised when an error or invalid response is received
 class NNTPError(Exception):
    """Base class for all nntplib exceptions"""
@@ -424,7 +431,9 @@ class _NNTPBase:
        """Internal: return one line from the server, stripping _CRLF.
        Raise EOFError if the connection is closed.
        Returns a bytes object."""
-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE +1)
+        if len(line) > _MAXLINE:
+            raise NNTPDataError('line too long')
        if self.debugging > 1:
            print('*get*', repr(line))
        if not line: raise EOFError

--- a/Lib/test/test_nntplib.py
+++ b/Lib/test/test_nntplib.py
@@ -584,6 +584,11 @@ class NNTPv1Handler:
                <a4929a40-6328-491a-aaaf-cb79ed7309a2@q2g2000vbk.googlegroups.com>
                <f30c0419-f549-4218-848f-d7d0131da931@y3g2000vbm.googlegroups.com>
                .""")
+        elif (group == 'comp.lang.python' and
+              date_str in ('20100101', '100101') and
+              time_str == '090000'):
+            self.push_lit('too long line' * 3000 +
+                          '\n.')
        else:
            self.push_lit("""\
                230 An empty list of newsarticles follows
@@ -1179,6 +1184,11 @@ class NNTPv1v2TestsMixin:
        self.assertEqual(cm.exception.response,
                         "435 Article not wanted")
+    def test_too_long_lines(self):
+        dt = datetime.datetime(2010, 1, 1, 9, 0, 0)
+        self.assertRaises(nntplib.NNTPDataError,
+                          self.server.newnews, "comp.lang.python", dt)
 class NNTPv1Tests(NNTPv1v2TestsMixin, MockedNNTPTestsMixin, unittest.TestCase):
    """Tests an NNTP v1 server (no capabilities)."""

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -81,6 +81,10 @@ Core and Builtins
 Library
 -------
+- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
+  prevent readline() calls from consuming too much memory.  Patch by Jyrki
+  Pulliainen.
 - Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to
  prevent readline() calls from consuming too much memory.  Patch by Jyrki
  Pulliainen.