#16042: CVE-2013-1752: smtplib fix for unlimited readline() from socket

2025-08-01 07:33:08 +00:00 · 2014-01-25 09:02:18 +01:00 · 2014-01-25 09:02:18 +01:00 · c11435399e
commit c11435399e
parent f580d5b6f7
4 changed files with 43 additions and 4 deletions
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@ -62,6 +62,7 @@ SMTP_PORT = 25
 SMTP_SSL_PORT = 465
 CRLF = "\r\n"
 bCRLF = b"\r\n"
+_MAXLINE = 8192 # more than 8 times larger than RFC 821, 4.5.3

 OLDSTYLE_AUTH = re.compile(r"auth=(.*)", re.I)

@ -364,7 +365,7 @@ class SMTP:
            self.file = self.sock.makefile('rb')
        while 1:
            try:
-                line = self.file.readline()
+                line = self.file.readline(_MAXLINE + 1)
            except socket.error as e:
                self.close()
                raise SMTPServerDisconnected("Connection unexpectedly closed: "
@ -374,6 +375,8 @@ class SMTP:
                raise SMTPServerDisconnected("Connection unexpectedly closed")
            if self.debuglevel > 0:
                print('reply:', repr(line), file=stderr)
+            if len(line) > _MAXLINE:
+                raise SMTPResponseException(500, "Line too long.")
            resp.append(line[4:].strip(b' \t\r\n'))
            code = line[:3]
            # Check that the error code is syntactically correct.