gh-130637: Add validation for numeric response data in stat() method (#130646)

Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
2025-12-10 02:50:09 +00:00 · 2025-03-02 18:35:40 +05:30 · 2025-03-02 18:35:40 +05:30 · a42168d316
commit a42168d316
parent 990ad272f6
3 changed files with 45 additions and 2 deletions
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@ -226,8 +226,19 @@ class POP3:
        retval = self._shortcmd('STAT')
        rets = retval.split()
        if self._debugging: print('*stat*', repr(rets))
-        numMessages = int(rets[1])
-        sizeMessages = int(rets[2])
+
+        # Check if the response has enough elements
+        # RFC 1939 requires at least 3 elements (+OK, message count, mailbox size)
+        # but allows additional data after the required fields
+        if len(rets) < 3:
+            raise error_proto("Invalid STAT response format")
+
+        try:
+            numMessages = int(rets[1])
+            sizeMessages = int(rets[2])
+        except ValueError:
+            raise error_proto("Invalid STAT response data: non-numeric values")
+
        return (numMessages, sizeMessages)