Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit

line length. Patch by Emil Lind.
2025-10-06 15:11:58 +00:00 · 2013-10-27 06:52:14 +01:00 · 2013-10-27 06:52:14 +01:00 · ca580f4ec1
commit ca580f4ec1
parent 246eb11058
3 changed files with 31 additions and 4 deletions
--- a/Lib/imaplib.py
+++ b/Lib/imaplib.py
@ -43,6 +43,15 @@ IMAP4_PORT = 143
 IMAP4_SSL_PORT = 993
 AllowedVersions = ('IMAP4REV1', 'IMAP4')        # Most recent first

+# Maximal line length when calling readline(). This is to prevent
+# reading arbitrary length lines. RFC 3501 and 2060 (IMAP 4rev1)
+# don't specify a line length. RFC 2683 however suggests limiting client
+# command lines to 1000 octets and server command lines to 8000 octets.
+# We have selected 10000 for some extra margin and since that is supposedly
+# also what UW and Panda IMAP does.
+_MAXLINE = 10000
+
+
 #       Commands

 Commands = {
@ -256,7 +265,10 @@ class IMAP4:

    def readline(self):
        """Read line from remote."""
-        return self.file.readline()
+        line = self.file.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise self.error("got more than %d bytes" % _MAXLINE)
+        return line


    def send(self, data):