summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-poplib-fix.patch
diff options
context:
space:
mode:
authorTudor Florea <tudor.florea@enea.com>2015-09-22 01:38:33 +0200
committerTudor Florea <tudor.florea@enea.com>2015-10-22 05:43:46 +0200
commit15f68138d4d0ff56704217369facc8baf03783a5 (patch)
treea19ad8e95a548fead58157cea6204b5eb6815237 /meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-poplib-fix.patch
parentff46766bf74cb96e103715de232c3cf09a69616e (diff)
downloadpoky-15f68138d4d0ff56704217369facc8baf03783a5.tar.gz
python: Backport CVE-2013-1752 fix from upstream
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-poplib-fix.patch')
-rw-r--r--meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-poplib-fix.patch90
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-poplib-fix.patch b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-poplib-fix.patch
new file mode 100644
index 0000000000..15a5a2c63c
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-2.7.3-CVE-2013-1752-poplib-fix.patch
@@ -0,0 +1,90 @@
1diff --git a/Lib/poplib.py b/Lib/poplib.py
2--- a/Lib/poplib.py
3+++ b/Lib/poplib.py
4@@ -27,16 +27,22 @@ POP3_PORT = 110
5 # POP SSL PORT
6 POP3_SSL_PORT = 995
7
8 # Line terminators (we always output CRLF, but accept any of CRLF, LFCR, LF)
9 CR = '\r'
10 LF = '\n'
11 CRLF = CR+LF
12
13+# maximal line length when calling readline(). This is to prevent
14+# reading arbitrary length lines. RFC 1939 limits POP3 line length to
15+# 512 characters, including CRLF. We have selected 2048 just to be on
16+# the safe side.
17+_MAXLINE = 2048
18+
19
20 class POP3:
21
22 """This class supports both the minimal and optional command sets.
23 Arguments can be strings or integers (where appropriate)
24 (e.g.: retr(1) and retr('1') both work equally well.
25
26 Minimal Command Set:
27@@ -98,17 +104,19 @@ class POP3:
28 self._putline(line)
29
30
31 # Internal: return one line from the server, stripping CRLF.
32 # This is where all the CPU time of this module is consumed.
33 # Raise error_proto('-ERR EOF') if the connection is closed.
34
35 def _getline(self):
36- line = self.file.readline()
37+ line = self.file.readline(_MAXLINE + 1)
38+ if len(line) > _MAXLINE:
39+ raise error_proto('line too long')
40 if self._debugging > 1: print '*get*', repr(line)
41 if not line: raise error_proto('-ERR EOF')
42 octets = len(line)
43 # server can send any combination of CR & LF
44 # however, 'readline()' returns lines ending in LF
45 # so only possibilities are ...LF, ...CRLF, CR...LF
46 if line[-2:] == CRLF:
47 return line[:-2], octets
48@@ -360,16 +368,18 @@ else:
49 self.buffer += localbuf
50
51 def _getline(self):
52 line = ""
53 renewline = re.compile(r'.*?\n')
54 match = renewline.match(self.buffer)
55 while not match:
56 self._fillBuffer()
57+ if len(self.buffer) > _MAXLINE:
58+ raise error_proto('line too long')
59 match = renewline.match(self.buffer)
60 line = match.group(0)
61 self.buffer = renewline.sub('' ,self.buffer, 1)
62 if self._debugging > 1: print '*get*', repr(line)
63
64 octets = len(line)
65 if line[-2:] == CRLF:
66 return line[:-2], octets
67diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
68--- a/Lib/test/test_poplib.py
69+++ b/Lib/test/test_poplib.py
70@@ -193,16 +193,20 @@ class TestPOP3Class(TestCase):
71 def test_retr(self):
72 expected = ('+OK 116 bytes',
73 ['From: postmaster@python.org', 'Content-Type: text/plain',
74 'MIME-Version: 1.0', 'Subject: Dummy',
75 '', 'line1', 'line2', 'line3'],
76 113)
77 self.assertEqual(self.client.retr('foo'), expected)
78
79+ def test_too_long_lines(self):
80+ self.assertRaises(poplib.error_proto, self.client._shortcmd,
81+ 'echo +%s' % ((poplib._MAXLINE + 10) * 'a'))
82+
83 def test_dele(self):
84 self.assertOK(self.client.dele('foo'))
85
86 def test_noop(self):
87 self.assertOK(self.client.noop())
88
89 def test_rpop(self):
90 self.assertOK(self.client.rpop('foo'))