python#16042: CVE-2013-1752: smtplib fix for unlimited readline() from socket

birkenfeld · birkenfeld · commit c11435399e7a · 2014-01-25T09:02:18.000+01:00
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
@@ -62,6 +62,7 @@
 SMTP_SSL_PORT = 465
 CRLF = "\r\n"
 bCRLF = b"\r\n"
+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3
 
 OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)
 
@@ -364,7 +365,7 @@ def getreply(self):
             self.file = self.sock.makefile('rb')
         while 1:
             try:
-                line = self.file.readline()
+                line = self.file.readline(_MAXLINE + 1)
             except socket.error as e:
                 self.close()
                 raise SMTPServerDisconnected("Connection unexpectedly closed: "
@@ -374,6 +375,8 @@ def getreply(self):
                 raise SMTPServerDisconnected("Connection unexpectedly closed")
             if self.debuglevel > 0:
                 print('reply:', repr(line), file=stderr)
+            if len(line) > _MAXLINE:
+                raise SMTPResponseException(500, "Line too long.")
             resp.append(line[4:].strip(b' \t\r\n'))
             code = line[:3]
             # Check that the error code is syntactically correct.
diff --git a/Lib/test/mock_socket.py b/Lib/test/mock_socket.py
@@ -21,8 +21,13 @@ class MockFile:
     """
     def __init__(self, lines):
         self.lines = lines
-    def readline(self):
-        return self.lines.pop(0) + b'\r\n'
+    def readline(self, limit=-1):
+        result = self.lines.pop(0) + b'\r\n'
+        if limit >= 0:
+            # Re-insert the line, removing the \r\n we added.
+            self.lines.insert(0, result[limit:-2])
+            result = result[:limit]
+        return result
     def close(self):
         pass
 
diff --git a/Lib/test/test_smtplib.py b/Lib/test/test_smtplib.py
@@ -569,6 +569,33 @@ def testFailingHELO(self):
                             HOST, self.port, 'localhost', 3)
 
 
+@unittest.skipUnless(threading, 'Threading required for this test.')
+class TooLongLineTests(unittest.TestCase):
+    respdata = b'250 OK' + (b'.' * smtplib._MAXLINE * 2) + b'\n'
+
+    def setUp(self):
+        self.old_stdout = sys.stdout
+        self.output = io.StringIO()
+        sys.stdout = self.output
+
+        self.evt = threading.Event()
+        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        self.sock.settimeout(15)
+        self.port = support.bind_port(self.sock)
+        servargs = (self.evt, self.respdata, self.sock)
+        threading.Thread(target=server, args=servargs).start()
+        self.evt.wait()
+        self.evt.clear()
+
+    def tearDown(self):
+        self.evt.wait()
+        sys.stdout = self.old_stdout
+
+    def testLineTooLong(self):
+        self.assertRaises(smtplib.SMTPResponseException, smtplib.SMTP,
+                          HOST, self.port, 'localhost', 3)
+
+
 sim_users = {'Mr.A@somewhere.com':'John A',
              'Ms.B@xn--fo-fka.com':'Sally B',
              'Mrs.C@somewhereesle.com':'Ruth C',
@@ -885,7 +912,8 @@ def found_terminator(self):
 def test_main(verbose=None):
     support.run_unittest(GeneralTests, DebuggingServerTests,
                               NonConnectingTests,
-                              BadHELOServerTests, SMTPSimTests)
+                              BadHELOServerTests, SMTPSimTests,
+                              TooLongLineTests)
 
 if __name__ == '__main__':
     test_main()
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -50,6 +50,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
+  limiting the call to readline().  Original patch by Christian Heimes.
+
 - Issue #20317: ExitStack.__exit__ could create a self-referential loop if an
   exception raised by a cleanup operation already had its context set
   correctly (for example, by the @contextmanager decorator). The infinite
