subject:"\[issue16039\] imaplib\: unlimited readline\(\) from connection"

[issue16039] imaplib: unlimited readline() from connection

2018-12-12 Thread STINNER Victor



STINNER Victor  added the comment:

I added imaplib.IMAP4_SSL.readline() to my python-security website:

https://python-security.readthedocs.io/vuln/cve-2013-1752_cve-2013-1752_limit_imaplib.imap4_ssl.readline.html

I'm now waiting for a Python 2.7.16 release.

--
priority: release blocker -> 

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2018-12-12 Thread STINNER Victor



STINNER Victor  added the comment:


New changeset 16d63202af35dadd652a5e3eae687ea709e95b11 by Victor Stinner in 
branch '2.7':
bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)
https://github.com/python/cpython/commit/16d63202af35dadd652a5e3eae687ea709e95b11


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2018-12-11 Thread STINNER Victor



Change by STINNER Victor :


--
pull_requests: +10351

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-09-30 Thread Roundup Robot


Roundup Robot added the comment:

New changeset 5d1c03316af7 by Georg Brandl in branch '3.2':
Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
https://hg.python.org/cpython/rev/5d1c03316af7

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-09-30 Thread Georg Brandl


Changes by Georg Brandl ge...@python.org:


--
versions:  -Python 3.1, Python 3.2

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-09-30 Thread STINNER Victor


STINNER Victor added the comment:

 New changeset 5d1c03316af7 by Georg Brandl in branch '3.2':
 Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
 https://hg.python.org/cpython/rev/5d1c03316af7

I'm not sure that this change is correct, the test failed on Windows. Or maybe, 
it's just an issue with test test?

http://buildbot.python.org/all/builders/AMD64%20Windows7%20SP1%203.x/builds/5168/steps/test/logs/stdio

==
ERROR: test_connect (test.test_smtpnet.SmtpSSLTest)
--
Traceback (most recent call last):
  File C:\buildbot.python.org\3.x.kloth-win64\build\lib\test\test_smtpnet.py, 
line 16, in test_connect
server = smtplib.SMTP_SSL(self.testServer, self.remotePort)
  File C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py, line 862, 
in __init__
SMTP.__init__(self, host, port, local_hostname, timeout)
  File C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py, line 260, 
in __init__
(code, msg) = self.connect(host, port)
  File C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py, line 321, 
in connect
(code, msg) = self.getreply()
  File C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py, line 367, 
in getreply
line = self.file.readline(_MAXLINE + 1)
TypeError: readline() takes exactly 1 positional argument (2 given)

--
resolution: fixed - 
status: closed - open

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-09-30 Thread Georg Brandl


Georg Brandl added the comment:

Let me check that.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-09-30 Thread Arfrever Frehtes Taifersar Arahesis


Arfrever Frehtes Taifersar Arahesis added the comment:

This error is rather related to issue #16042, not issue #16039.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-09-30 Thread Georg Brandl


Changes by Georg Brandl ge...@python.org:


--
resolution:  - fixed
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread STINNER Victor


STINNER Victor added the comment:

Why is this issue still open? The issue was fixed in Python 2.6.9. Why is the 
issue a release blocker? The issue was also fixed in the future Python 3.4 (in 
default).

--
nosy: +haypo

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread R. David Murray


R. David Murray added the comment:

Presumably because it has not been fixed in 2.7.

--
nosy: +r.david.murray

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread STINNER Victor


STINNER Victor added the comment:

Since the merge 2.6 - 2.7 did not apply cleanly, and had other problems. I 
null merged the 2.6 changes.  I'll leave it to Benjamin to work out whatever 
patches 2.7 needs.

So Benjamin, is there a reason to not fix this security vulnerability in Python 
2.7?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread Benjamin Peterson


Benjamin Peterson added the comment:

There's no reason not to fix it assuming the patch is good...

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread R. David Murray


R. David Murray added the comment:

Applied to 2.7 in dd906f4ab923.

--
resolution:  - fixed
stage: needs patch - committed/rejected
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread R. David Murray


R. David Murray added the comment:

And we're getting test failures in the SSL version of the test.  No similar 
failure reports in the tracker, and the same test has been running on the 
Python3 branch for a while now.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread Roundup Robot


Roundup Robot added the comment:

New changeset d7ae948d9eee by R David Murray in branch '2.7':
#16039/#20118: temporarily skip failing imaplib SSL test.
http://hg.python.org/cpython/rev/d7ae948d9eee

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread STINNER Victor


STINNER Victor added the comment:

Reopen, a test is failing.

--
resolution: fixed - 
status: closed - open

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread R. David Murray


R. David Murray added the comment:

I opened a new issue for the failing test: issue 20118, so I don't see a reason 
to keep this open.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2014-01-03 Thread STINNER Victor


STINNER Victor added the comment:

I opened a new issue for the failing test: issue 20118, so I don't see a 
reason to keep this open.

Ok, I wasn't aware of this issue.

--
resolution:  - fixed
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-10-27 Thread Roundup Robot


Roundup Robot added the comment:

New changeset 4b0364fc5711 by Georg Brandl in branch '3.3':
Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
http://hg.python.org/cpython/rev/4b0364fc5711

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-10-27 Thread Georg Brandl


Georg Brandl added the comment:

Also merged to default.

--
versions:  -Python 3.3, Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-10-18 Thread Larry Hastings


Larry Hastings added the comment:

Ping.  Please fix before beta 1.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-09-22 Thread Barry A. Warsaw


Barry A. Warsaw added the comment:

Looks good for 2.6.  The NEWS file hunk doesn't apply, but I'll fix that when I 
commit this to 2.6.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-09-22 Thread Roundup Robot


Roundup Robot added the comment:

New changeset 4190568ceda0 by Barry Warsaw in branch '2.6':
- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
http://hg.python.org/cpython/rev/4190568ceda0

--
nosy: +python-dev

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-09-22 Thread Barry A. Warsaw


Barry A. Warsaw added the comment:

Since the merge 2.6 - 2.7 did not apply cleanly, and had other problems. I 
null merged the 2.6 changes.  I'll leave it to Benjamin to work out whatever 
patches 2.7 needs.

--
versions:  -Python 2.6

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-09-15 Thread Arfrever Frehtes Taifersar Arahesis


Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
versions: +Python 2.6, Python 3.1

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-09-15 Thread A.M. Kuchling


A.M. Kuchling added the comment:

Updated version of the patch against 2.6 that adds a test.  Thanks for the fix, 
Emil!

--
nosy: +akuchling
Added file: http://bugs.python.org/file31778/imaplib.txt

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-09-03 Thread Barry A. Warsaw


Barry A. Warsaw added the comment:

blocker for 2.6.9

--
nosy: +barry
priority: critical - release blocker

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-03-23 Thread Benjamin Peterson


Benjamin Peterson added the comment:

Not blocking 2.7.4 as discussed on mailing list.

--
priority: release blocker - critical

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-02-26 Thread Emil Lind


Emil Lind added the comment:

I'm uploading my first patch. 
Heavily based on the related issues for ftplib and poplib.
Need help with review and a few questions...

Q1: Is the error Exception the right way to handle the breach (disconnects 
client?) or is there a better way? Like a 'BAD' response...

Q2: I'm not sure how to best modify the test_imaplib for this patch. I'm 
guessing a make_server where the client gets MAXLINE+1 bytes of data and 
validates exception. But it's above my abilities right now...

I welcome any input, thanks. 

note: patch seems to apply to 2.7, 3.2, 3.3, 3.4

--
keywords: +patch
nosy: +Emil.Lind
Added file: http://bugs.python.org/file29254/imaplib.issue16039.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-02-22 Thread Arfrever Frehtes Taifersar Arahesis


Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
nosy: +Arfrever

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-02-15 Thread Christian Heimes


Christian Heimes added the comment:

RFC 3501 and 2060 (IMAP 4rev1) don't specify a line length


RFC 2683 says:

  A client should limit the length of the command lines it
  generates to approximately 1000 octets.

  For its part, a server should allow for a command line of at
  least 8000 octets.

Some config files and code have values between 2k and 64k, usually around 8k to 
10k, e.g.

 UW and Panda IMAP have a limit of 10,000 octets which is far
 more than what anything is ever likely to use.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-02-15 Thread Christian Heimes


Christian Heimes added the comment:

CVE-2013-1752  Unbound readline() DoS vulnerabilities in Python stdlib

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-02-04 Thread Christian Heimes


Changes by Christian Heimes li...@cheimes.de:


--
nosy: +benjamin.peterson, georg.brandl, larry
priority: critical - release blocker

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-01-21 Thread Giampaolo Rodola'


Changes by Giampaolo Rodola' g.rod...@gmail.com:


--
nosy: +giampaolo.rodola

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2013-01-20 Thread Christian Heimes


Changes by Christian Heimes li...@cheimes.de:


--
assignee:  - christian.heimes
priority: normal - critical
stage:  - needs patch
versions: +Python 2.7, Python 3.2, Python 3.3, Python 3.4

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue16039] imaplib: unlimited readline() from connection

2012-09-25 Thread Christian Heimes


New submission from Christian Heimes:

This bug is similar to #16037 and a modified copy of #16038.

The imaplib module doesn't limit the amount of read data in its call to 
readline(). An erroneous or malicious IMAP server can trick the imaplib module 
to consume large amounts of memory.

Suggestion:
The imaplib module should be modified to use limited readline() with _MAXLINE 
like the httplib module.

--
components: Library (Lib)
messages: 171242
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: imaplib: unlimited readline() from connection
type: resource usage

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16039
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

37 matches

Mail list logo