Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf116a9c

Browse files
hugovkserhiy-storchakagpshead
authored
[3.9]gh-119511: Fix a potential denial of service in imaplib (GH-119514) (#130248)
The IMAP4 client could consume an arbitrary amount of memory when tryingto connect to a malicious server, because it read a "literal" data with asingle read(size) call, and BufferedReader.read() allocates the bytesobject of the specified size before reading. Now the IMAP4 client reads databy chunks, therefore the amount of used memory is limited by theamount of the data actually been sent by the server.(cherry picked from commit735f25c)Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>Co-authored-by: Gregory P. Smith <greg@krypto.org>
1 parentd80cbdd commitf116a9c

File tree

3 files changed

+32
-1
lines changed

3 files changed

+32
-1
lines changed

‎Lib/imaplib.py

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,9 @@
5252
# search command can be quite large, so we now use 1M.
5353
_MAXLINE=1000000
5454

55+
# Data larger than this will be read in chunks, to prevent extreme
56+
# overallocation.
57+
_SAFE_BUF_SIZE=1<<20
5558

5659
# Commands
5760

@@ -315,7 +318,13 @@ def open(self, host='', port=IMAP4_PORT, timeout=None):
315318

316319
defread(self,size):
317320
"""Read 'size' bytes from remote."""
318-
returnself.file.read(size)
321+
cursize=min(size,_SAFE_BUF_SIZE)
322+
data=self.file.read(cursize)
323+
whilecursize<sizeandlen(data)==cursize:
324+
delta=min(cursize,size-cursize)
325+
data+=self.file.read(delta)
326+
cursize+=delta
327+
returndata
319328

320329

321330
defreadline(self):

‎Lib/test/test_imaplib.py

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -906,6 +906,21 @@ def handle(self):
906906
self.assertRaises(imaplib.IMAP4.error,
907907
self.imap_class,*server.server_address)
908908

909+
@reap_threads
910+
deftest_truncated_large_literal(self):
911+
size=0
912+
classBadHandler(SimpleIMAPHandler):
913+
defhandle(self):
914+
self._send_textline('* OK {%d}'%size)
915+
self._send_textline('IMAP4rev1')
916+
917+
forexponentinrange(15,64):
918+
size=1<<exponent
919+
withself.subTest(f"size=2e{size}"):
920+
withself.reaped_server(BadHandler)asserver:
921+
withself.assertRaises(imaplib.IMAP4.abort):
922+
self.imap_class(*server.server_address)
923+
909924
@reap_threads
910925
deftest_simple_with_statement(self):
911926
# simplest call
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
Fix a potential denial of service in the:mod:`imaplib` module. When connecting
2+
to a malicious server, it could cause an arbitrary amount of memory to be
3+
allocated. On many systems this is harmless as unused virtual memory is only a
4+
mapping, but if this hit a virtual address size limit it could lead to a
5+
:exc:`MemoryError` or other process crash. On unusual systems or builds where
6+
all allocated memory is touched and backed by actual ram or storage it could've
7+
consumed resources doing so until similarly crashing.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp