[3.13] gh-130637: Add validation for numeric response data in stat() method (GH-130646) (#130763)

gh-130637: Add validation for numeric response data in `stat()` method (GH-130646) (cherry picked from commit a42168d316) Co-authored-by: Kanishk Pachauri <itskanishkp.py@gmail.com> Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
2025-08-04 17:08:35 +00:00 · 2025-03-02 21:28:56 +01:00 · 2025-03-02 21:28:56 +01:00 · e6dfa9d601
commit e6dfa9d601
parent 3bef4af301
3 changed files with 45 additions and 2 deletions
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@ -226,8 +226,19 @@ class POP3:
        retval = self._shortcmd('STAT')
        rets = retval.split()
        if self._debugging: print('*stat*', repr(rets))
-        numMessages = int(rets[1])
-        sizeMessages = int(rets[2])
+
+        # Check if the response has enough elements
+        # RFC 1939 requires at least 3 elements (+OK, message count, mailbox size)
+        # but allows additional data after the required fields
+        if len(rets) < 3:
+            raise error_proto("Invalid STAT response format")
+
+        try:
+            numMessages = int(rets[1])
+            sizeMessages = int(rets[2])
+        except ValueError:
+            raise error_proto("Invalid STAT response data: non-numeric values")
+
        return (numMessages, sizeMessages)


--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@ -289,6 +289,37 @@ class TestPOP3Class(TestCase):
    def test_stat(self):
        self.assertEqual(self.client.stat(), (10, 100))

+        original_shortcmd = self.client._shortcmd
+        def mock_shortcmd_invalid_format(cmd):
+            if cmd == 'STAT':
+                return b'+OK'
+            return original_shortcmd(cmd)
+
+        self.client._shortcmd = mock_shortcmd_invalid_format
+        with self.assertRaises(poplib.error_proto):
+            self.client.stat()
+
+        def mock_shortcmd_invalid_data(cmd):
+            if cmd == 'STAT':
+                return b'+OK abc def'
+            return original_shortcmd(cmd)
+
+        self.client._shortcmd = mock_shortcmd_invalid_data
+        with self.assertRaises(poplib.error_proto):
+            self.client.stat()
+
+        def mock_shortcmd_extra_fields(cmd):
+            if cmd == 'STAT':
+                return b'+OK 1 2 3 4 5'
+            return original_shortcmd(cmd)
+
+        self.client._shortcmd = mock_shortcmd_extra_fields
+
+        result = self.client.stat()
+        self.assertEqual(result, (1, 2))
+
+        self.client._shortcmd = original_shortcmd
+
    def test_list(self):
        self.assertEqual(self.client.list()[1:],
                         ([b'1 1', b'2 2', b'3 3', b'4 4', b'5 5'],
--- a/Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
+++ b/Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
@ -0,0 +1 @@
+Add validation for numeric response data in poplib.POP3.stat() method
				`@ -0,0 +1 @@`
				`Add validation for numeric response data in poplib.POP3.stat() method`