Roundup Robot added the comment:
New changeset 923aac88a3cc by Benjamin Peterson in branch '2.7':
smtplib: limit amount read from the network (closes #16042)
https://hg.python.org/cpython/rev/923aac88a3cc
--
resolution: - fixed
stage: needs patch - resolved
status: open - closed
Changes by Matthias Klose d...@debian.org:
--
nosy: +doko
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Python-bugs-list mailing
Changes by Georg Brandl ge...@python.org:
--
versions: -Python 3.1
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Python-bugs-list
Roundup Robot added the comment:
New changeset 0f362676460d by Georg Brandl in branch '3.2':
Issue #16042: CVE-2013-1752: smtplib: Limit amount of data read by
https://hg.python.org/cpython/rev/0f362676460d
--
___
Python tracker
Changes by Georg Brandl ge...@python.org:
--
versions: -Python 3.2
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Python-bugs-list
Arfrever Frehtes Taifersar Arahesis added the comment:
New changeset 4065c4539fcb by Georg Brandl in branch '3.2':
Fix-up for 0f362676460d: add missing size argument to SSLFakeFile.readline(),
as in 2.6 backport
https://hg.python.org/cpython/rev/4065c4539fcb
--
A.M. Kuchling added the comment:
Are we going to apply a fix for this to 2.7?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Changes by Georg Brandl ge...@python.org:
--
versions: -Python 3.3, Python 3.4
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Larry Hastings added the comment:
Could someone merge this change from 3.3 into default? I would cherry-pick it
for 3.4.0 if they did.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
Benjamin Peterson added the comment:
318de3affa3d
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Python-bugs-list mailing list
Roundup Robot added the comment:
New changeset d62a67318023 by Georg Brandl in branch '3.3':
#16042: CVE-2013-1752: smtplib fix for unlimited readline() from socket
http://hg.python.org/cpython/rev/d62a67318023
--
___
Python tracker
A.M. Kuchling added the comment:
Serhiy, your version of the patch for 2.7 looks fine.
I've attached a version of the patch for 3.3. A change is needed to the
MockFile object provided by Lib/test/mock_socket.py
--
Added file: http://bugs.python.org/file32590/3.3-fix.txt
Serhiy Storchaka added the comment:
Here is a port of changeset 8a6def3add5b for 2.7. However getreply() is not
tested yet.
--
Added file: http://bugs.python.org/file32254/smtplib_maxline-2.7.patch
___
Python tracker rep...@bugs.python.org
Larry Hastings added the comment:
Can we get this fixed in more recent versions? Like, maybe, trunk, before
beta 1?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Barry A. Warsaw added the comment:
Please don't add 2.6 back to the Versions, unless there's actually something to
do for 2.6. AFAIK, this issue is resolved for 2.6.
--
versions: -Python 2.6
___
Python tracker rep...@bugs.python.org
A.M. Kuchling added the comment:
The patch requires a little adjusting to apply against 2.6.
--
nosy: +akuchling
Added file: http://bugs.python.org/file31772/smtplib-2.6.patch
___
Python tracker rep...@bugs.python.org
A.M. Kuchling added the comment:
Here's a final proposed version of the patch for 2.6 that adds a test. Changes
made:
* code now raises SMTPResponseException instead of a new SMTPLineTooLong
exception; bwarsaw deemed that adding a new exception class was changing the
module API.
* we
Serhiy Storchaka added the comment:
It is not important in the context of this issue, but readline(0) is blocked
and returns 1-character string. Move the length check above
self.sslobj.read(1). For readability you can also move the chr != \n inside
the loop:
while size is None
Serhiy Storchaka added the comment:
It is not important in the context of this issue, but readline(0) is blocked
and returns 1-character string. Move the length check above
self.sslobj.read(1). For readability you can also move the chr != \n inside
the loop:
while size is None
Changes by Serhiy Storchaka storch...@gmail.com:
--
Removed message: http://bugs.python.org/msg197788
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Barry A. Warsaw added the comment:
Patch looks great, thanks Andrew. All tests pass. Feel free to commit to the
2.6 branch along with a NEWS file entry.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
Barry A. Warsaw added the comment:
On Sep 15, 2013, at 04:47 PM, Serhiy Storchaka wrote:
It is not important in the context of this issue, but readline(0) is blocked
and returns 1-character string. Move the length check above
self.sslobj.read(1). For readability you can also move the chr != \n
Roundup Robot added the comment:
New changeset 8a6def3add5b by Andrew Kuchling in branch '2.6':
#16042: CVE-2013-1752: Limit amount of data read by limiting the call to
readline().
http://hg.python.org/cpython/rev/8a6def3add5b
--
nosy: +python-dev
R. David Murray added the comment:
I'm not sure what Serhiy means by is blocked, but the second half makes
sense: readline(0) on a file will return the empty string, but here it will
read one character and return it. Like he says, it doesn't break anything in
the context of this bug fix, but
A.M. Kuchling added the comment:
I took Serhiy's suggestion and just moved up the 'if size' check in the loop.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Serhiy Storchaka added the comment:
Also, what do you mean by readline(0) is blocked? Do you mean this is a
blocking call or something else?
Yes, I mean this is a blocking call.
Unless I'm missing something his replacement also has a bug, though: it won't
add the \n to the returned
Barry A. Warsaw added the comment:
On Sep 15, 2013, at 05:34 PM, Serhiy Storchaka wrote:
Oh, right. The correct code should be as I proposed in msg173413 or... as
Andrew has committed. Good.
Excellent. So we're good for this in 2.6. Thanks!
--
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
versions: +Python 2.6, Python 3.1
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Barry A. Warsaw added the comment:
blocker for 2.6.9
--
priority: critical - release blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Benjamin Peterson added the comment:
Not blocking 2.7.4 as discussed on mailing list.
--
priority: release blocker - critical
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
nosy: +Arfrever
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
R. David Murray added the comment:
I doubt that 2048 is safer than 1024 for any meaningful value of safer. Either
the sever respects the rfc limits or it does not. If it does not, it is
likely to send very long text lines if the sending mua generates them, which I
suspect happens.
Christian Heimes added the comment:
RFC 2821 says:
command line
The maximum total length of a command line including the command
word and the CRLF is 512 characters. SMTP extensions may be
used to increase this limit.
reply line
The maximum total length of a
Christian Heimes added the comment:
CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Christian Heimes added the comment:
Oh, next time I should read my own patch and responses first ... ;)
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Changes by Christian Heimes li...@cheimes.de:
--
nosy: +benjamin.peterson, georg.brandl, larry
priority: critical - release blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Changes by Giampaolo Rodola' g.rod...@gmail.com:
--
nosy: +giampaolo.rodola
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Christian Heimes added the comment:
Yes, I'm going to work on this issue for 2.7 and 3.3.
--
assignee: - christian.heimes
priority: normal - critical
stage: - needs patch
versions: +Python 3.4
___
Python tracker rep...@bugs.python.org
Serhiy Storchaka added the comment:
mock_socket violates readline() contract. It can return more than size bytes,
and this can break SMTP.readline().
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
R. David Murray added the comment:
Christian, do you want to try to complete this before the 2.7.4 RC?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Serhiy Storchaka added the comment:
I understand you, it's a patch against 2.7.
+def readline(self, size=-1):
In io.IOBase.readline() and in io.TextIOBase.readline() this parameter named
limit.
+if size is not None and len(str) == size:
+break
It
Changes by R. David Murray rdmur...@bitdance.com:
--
components: +email
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
New submission from Christian Heimes:
This bug is similar to #16037 and a modified copy of #16038.
The smtplib module doesn't limit the amount of read data in its call to
readline(). An erroneous or malicious SMTP server can trick the smtplib module
to consume large amounts of memory.
Christian Heimes added the comment:
RFC 821 [1] specifies rather short line lengths between 512 and 1001 chars
including the trailing CRLF. A line limit of a couple of kilobyte should
definitely work with all standard conform SMTP clients and servers.
[1]
Changes by Christian Heimes li...@cheimes.de:
--
nosy: +barry, r.david.murray
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
___
Christian Heimes added the comment:
First patch
I haven't written tests yet nor implemented the size limit on the mock_socket
class.
--
keywords: +patch
Added file: http://bugs.python.org/file27297/smtp_readline.patch
___
Python tracker
R. David Murray added the comment:
I've only taken a quick glance at this so far.
Why size=-1 instead of size=None?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16042
___
Christian Heimes added the comment:
size=-1 mimics the code of the io module. The C implementation of readline()
maps all negative values to unlimited and values = 0 as limit.
sys.stdin.readline(None)
Traceback (most recent call last):
File stdin, line 1, in module
TypeError: 'NoneType'
Serhiy Storchaka added the comment:
Both io.IOBase.readline() and io.TextIOBase.readline() have parameter named
limit.
I doubt that such a change can be done in 2.7 and 3.2.
--
nosy: +storchaka
___
Python tracker rep...@bugs.python.org
Serhiy Storchaka added the comment:
Please submit patches in standard Mercurial format to them understood Rietveld.
I wanted to make a code review, but I don't see the definition of readline()
method in the file Lib/smtplib.py.
--
___
Python
50 matches
Mail list logo