mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-07 19:35:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

gh-130637: Add validation for numeric response data in stat() method (#130646)

Browse source 
Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
This commit is contained in:
Kanishk Pachauri 2025-03-02 18:35:40 +05:30 committed by GitHub
parent 990ad272f6
commit a42168d316
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 45 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

15
Lib/poplib.py
View file

@ -226,8 +226,19 @@ class POP3:
retval = self._shortcmd('STAT') retval = self._shortcmd('STAT')
rets = retval.split() rets = retval.split()
if self._debugging: print('*stat*', repr(rets)) if self._debugging: print('*stat*', repr(rets))
numMessages = int(rets[1])
sizeMessages = int(rets[2]) # Check if the response has enough elements
# RFC 1939 requires at least 3 elements (+OK, message count, mailbox size)
# but allows additional data after the required fields
if len(rets) < 3:
raise error_proto("Invalid STAT response format")
try:
numMessages = int(rets[1])
sizeMessages = int(rets[2])
except ValueError:
raise error_proto("Invalid STAT response data: non-numeric values")
return (numMessages, sizeMessages) return (numMessages, sizeMessages)

31
Lib/test/test_poplib.py
View file

@ -289,6 +289,37 @@ class TestPOP3Class(TestCase):
def test_stat(self): def test_stat(self):
self.assertEqual(self.client.stat(), (10, 100)) self.assertEqual(self.client.stat(), (10, 100))
original_shortcmd = self.client._shortcmd
def mock_shortcmd_invalid_format(cmd):
if cmd == 'STAT':
return b'+OK'
return original_shortcmd(cmd)
self.client._shortcmd = mock_shortcmd_invalid_format
with self.assertRaises(poplib.error_proto):
self.client.stat()
def mock_shortcmd_invalid_data(cmd):
if cmd == 'STAT':
return b'+OK abc def'
return original_shortcmd(cmd)
self.client._shortcmd = mock_shortcmd_invalid_data
with self.assertRaises(poplib.error_proto):
self.client.stat()
def mock_shortcmd_extra_fields(cmd):
if cmd == 'STAT':
return b'+OK 1 2 3 4 5'
return original_shortcmd(cmd)
self.client._shortcmd = mock_shortcmd_extra_fields
result = self.client.stat()
self.assertEqual(result, (1, 2))
self.client._shortcmd = original_shortcmd
def test_list(self): def test_list(self):
self.assertEqual(self.client.list()[1:], self.assertEqual(self.client.list()[1:],
([b'1 1', b'2 2', b'3 3', b'4 4', b'5 5'], ([b'1 1', b'2 2', b'3 3', b'4 4', b'5 5'],

1
Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst Normal file
View file

@ -0,0 +1 @@
Add validation for numeric response data in poplib.POP3.stat() method