Issue #16041: CVE-2013-1752: poplib: Limit maximum line lengths to 2048 to

prevent readline() calls from consuming too much memory. Patch by Jyrki Pulliainen.
2025-08-04 08:59:19 +00:00 · 2013-10-27 07:23:53 +01:00 · 2013-10-27 07:23:53 +01:00 · 7e27abbb39
commit 7e27abbb39
parent 72c98d3a76
3 changed files with 19 additions and 2 deletions
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@ -32,6 +32,12 @@ CR = b'\r'
 LF = b'\n'
 CRLF = CR+LF

+# maximal line length when calling readline(). This is to prevent
+# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to
+# 512 characters, including CRLF. We have selected 2048 just to be on
+# the safe side.
+_MAXLINE = 2048
+

 class POP3:

@ -107,7 +113,10 @@ class POP3:
    # Raise error_proto('-ERR EOF') if the connection is closed.

    def _getline(self):
-        line = self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise error_proto('line too long')
+
        if self._debugging > 1: print('*get*', repr(line))
        if not line: raise error_proto('-ERR EOF')
        octets = len(line)