https://github.com/python/cpython/commit/d9ca98a92d8fbd671d818c2cc0b481182370f1fc
commit: d9ca98a92d8fbd671d818c2cc0b481182370f1fc
branch: 3.12
author: Miss Islington (bot) <31488909+miss-isling...@users.noreply.github.com>
committer: terryjreedy <tjre...@udel.edu>
date: 2025-03-02T15:05:46-05:00
summary:
[3.12] gh-130637: Add validation for numeric response data in `stat()` method
(GH-130646) (#130764)
gh-130637: Add validation for numeric response data in `stat()` method
(GH-130646)
(cherry picked from commit a42168d316f0c9a4fc5658dab87682dc19054efb)
Co-authored-by: Kanishk Pachauri <itskanishkp...@gmail.com>
Co-authored-by: Eric V. Smith <ericvsm...@users.noreply.github.com>
files:
A Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
M Lib/poplib.py
M Lib/test/test_poplib.py
diff --git a/Lib/poplib.py b/Lib/poplib.py
index 81b01385987c3b..9eb662d0000cb1 100644
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -226,8 +226,19 @@ def stat(self):
retval = self._shortcmd('STAT')
rets = retval.split()
if self._debugging: print('*stat*', repr(rets))
- numMessages = int(rets[1])
- sizeMessages = int(rets[2])
+
+ # Check if the response has enough elements
+ # RFC 1939 requires at least 3 elements (+OK, message count, mailbox
size)
+ # but allows additional data after the required fields
+ if len(rets) < 3:
+ raise error_proto("Invalid STAT response format")
+
+ try:
+ numMessages = int(rets[1])
+ sizeMessages = int(rets[2])
+ except ValueError:
+ raise error_proto("Invalid STAT response data: non-numeric values")
+
return (numMessages, sizeMessages)
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
index 869f9431b928bb..f1ebbeafe0cfb4 100644
--- a/Lib/test/test_poplib.py
+++ b/Lib/test/test_poplib.py
@@ -289,6 +289,37 @@ def test_pass_(self):
def test_stat(self):
self.assertEqual(self.client.stat(), (10, 100))
+ original_shortcmd = self.client._shortcmd
+ def mock_shortcmd_invalid_format(cmd):
+ if cmd == 'STAT':
+ return b'+OK'
+ return original_shortcmd(cmd)
+
+ self.client._shortcmd = mock_shortcmd_invalid_format
+ with self.assertRaises(poplib.error_proto):
+ self.client.stat()
+
+ def mock_shortcmd_invalid_data(cmd):
+ if cmd == 'STAT':
+ return b'+OK abc def'
+ return original_shortcmd(cmd)
+
+ self.client._shortcmd = mock_shortcmd_invalid_data
+ with self.assertRaises(poplib.error_proto):
+ self.client.stat()
+
+ def mock_shortcmd_extra_fields(cmd):
+ if cmd == 'STAT':
+ return b'+OK 1 2 3 4 5'
+ return original_shortcmd(cmd)
+
+ self.client._shortcmd = mock_shortcmd_extra_fields
+
+ result = self.client.stat()
+ self.assertEqual(result, (1, 2))
+
+ self.client._shortcmd = original_shortcmd
+
def test_list(self):
self.assertEqual(self.client.list()[1:],
([b'1 1', b'2 2', b'3 3', b'4 4', b'5 5'],
diff --git
a/Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
b/Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
new file mode 100644
index 00000000000000..83cd6c63c35215
--- /dev/null
+++
b/Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
@@ -0,0 +1 @@
+Add validation for numeric response data in poplib.POP3.stat() method
_______________________________________________
Python-checkins mailing list -- python-checkins@python.org
To unsubscribe send an email to python-checkins-le...@python.org
https://mail.python.org/mailman3/lists/python-checkins.python.org/
Member address: arch...@mail-archive.com
