From b3ac84322fe6dd542aa755779cdbc155edca8064 Mon Sep 17 00:00:00 2001 From: Georg Brandl Date: Sun, 12 Oct 2014 08:50:11 +0200 Subject: [PATCH] #16040: fix unlimited read from connection in nntplib. --- Lib/nntplib.py | 11 ++++++++++- Lib/test/test_nntplib.py | 10 ++++++++++ Misc/NEWS | 4 ++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/Lib/nntplib.py b/Lib/nntplib.py index 32bffd8e27c..0d4bbbbaab9 100644 --- a/Lib/nntplib.py +++ b/Lib/nntplib.py @@ -85,6 +85,13 @@ __all__ = ["NNTP", "decode_header", ] +# maximal line length when calling readline(). This is to prevent +# reading arbitrary lenght lines. RFC 3977 limits NNTP line length to +# 512 characters, including CRLF. We have selected 2048 just to be on +# the safe side. +_MAXLINE = 2048 + + # Exceptions raised when an error or invalid response is received class NNTPError(Exception): """Base class for all nntplib exceptions""" @@ -410,7 +417,9 @@ class _NNTPBase: """Internal: return one line from the server, stripping _CRLF. Raise EOFError if the connection is closed. Returns a bytes object.""" - line = self.file.readline() + line = self.file.readline(_MAXLINE +1) + if len(line) > _MAXLINE: + raise NNTPDataError('line too long') if self.debugging > 1: print('*get*', repr(line)) if not line: raise EOFError diff --git a/Lib/test/test_nntplib.py b/Lib/test/test_nntplib.py index 7335b23b2d4..0875f71371a 100644 --- a/Lib/test/test_nntplib.py +++ b/Lib/test/test_nntplib.py @@ -563,6 +563,11 @@ class NNTPv1Handler: .""") + elif (group == 'comp.lang.python' and + date_str in ('20100101', '100101') and + time_str == '090000'): + self.push_lit('too long line' * 3000 + + '\n.') else: self.push_lit("""\ 230 An empty list of newsarticles follows @@ -1158,6 +1163,11 @@ class NNTPv1v2TestsMixin: self.assertEqual(cm.exception.response, "435 Article not wanted") + def test_too_long_lines(self): + dt = datetime.datetime(2010, 1, 1, 9, 0, 0) + self.assertRaises(nntplib.NNTPDataError, + self.server.newnews, "comp.lang.python", dt) + class NNTPv1Tests(NNTPv1v2TestsMixin, MockedNNTPTestsMixin, unittest.TestCase): """Tests an NNTP v1 server (no capabilities).""" diff --git a/Misc/NEWS b/Misc/NEWS index 1a704df9965..fc53c0f4d99 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -16,6 +16,10 @@ Core and Builtins Library ------- +- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to + prevent readline() calls from consuming too much memory. Patch by Jyrki + Pulliainen. + - Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit line length. Patch by Emil Lind.