+79
-1
lines changedFilter options
+79
-1
lines changed Original file line number Diff line number Diff line change
@@ -37,6 +37,13 @@
37 37
"error_reply","error_temp","error_perm","error_proto",
38 38
"error_data",]
39 39 40 +
# maximal line length when calling readline(). This is to prevent
41 +
# reading arbitrary lenght lines. RFC 3977 limits NNTP line length to
42 +
# 512 characters, including CRLF. We have selected 2048 just to be on
43 +
# the safe side.
44 +
_MAXLINE = 2048
45 + 46 + 40 47
# Exceptions raised when an error or invalid response is received
41 48
class NNTPError(Exception):
42 49
"""Base class for all nntplib exceptions"""
@@ -200,7 +207,9 @@ def putcmd(self, line):
200 207
def getline(self):
201 208
"""Internal: return one line from the server, stripping CRLF.
202 209
Raise EOFError if the connection is closed."""
203 -
line = self.file.readline()
210 +
line = self.file.readline(_MAXLINE + 1)
211 +
if len(line) > _MAXLINE:
212 +
raise NNTPDataError('line too long')
204 213
if self.debugging > 1:
205 214
print '*get*', repr(line)
206 215
if not line: raise EOFError
@@ -0,0 +1,65 @@
1 +
import socket
2 +
import threading
3 +
import nntplib
4 +
import time
5 + 6 +
from unittest import TestCase
7 +
from test import test_support
8 + 9 +
HOST = test_support.HOST
10 + 11 + 12 +
def server(evt, serv, evil=False):
13 +
serv.listen(5)
14 +
try:
15 +
conn, addr = serv.accept()
16 +
except socket.timeout:
17 +
pass
18 +
else:
19 +
if evil:
20 +
conn.send("1 I'm too long response" * 3000 + "\n")
21 +
else:
22 +
conn.send("1 I'm OK response\n")
23 +
conn.close()
24 +
finally:
25 +
serv.close()
26 +
evt.set()
27 + 28 + 29 +
class BaseServerTest(TestCase):
30 +
def setUp(self):
31 +
self.evt = threading.Event()
32 +
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
33 +
self.sock.settimeout(3)
34 +
self.port = test_support.bind_port(self.sock)
35 +
threading.Thread(
36 +
target=server,
37 +
args=(self.evt, self.sock, self.evil)).start()
38 +
time.sleep(.1)
39 + 40 +
def tearDown(self):
41 +
self.evt.wait()
42 + 43 + 44 +
class ServerTests(BaseServerTest):
45 +
evil = False
46 + 47 +
def test_basic_connect(self):
48 +
nntp = nntplib.NNTP('localhost', self.port)
49 +
nntp.sock.close()
50 + 51 + 52 +
class EvilServerTests(BaseServerTest):
53 +
evil = True
54 + 55 +
def test_too_long_line(self):
56 +
self.assertRaises(nntplib.NNTPDataError,
57 +
nntplib.NNTP, 'localhost', self.port)
58 + 59 + 60 +
def test_main(verbose=None):
61 +
test_support.run_unittest(EvilServerTests)
62 +
test_support.run_unittest(ServerTests)
63 + 64 +
if __name__ == '__main__':
65 +
test_main()
Original file line number Diff line number Diff line change
@@ -20,6 +20,10 @@ Library
20 20
prevent readline() calls from consuming too much memory. Patch by Jyrki
21 21
Pulliainen.
22 22 23 +
- Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to
24 +
prevent readline() calls from consuming too much memory. Patch by Jyrki
25 +
Pulliainen.
26 + 23 27
- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
24 28
limit line length. Patch by Emil Lind.
25 29 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4