bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)

* bpo-16039: CVE-2013-1752: Change use of readline() in imaplib.IMAP4_SSL to limit line length. Remove IMAP4_SSL.readline() and IMAP4_SSL.read() to inherit safe IMAP4 implementation. * bpo-20118: reenable test_linetoolong() of test_imaplib on ThreadedNetworkedTests and ThreadedNetworkedTestsSSL. The test now sets the _MAXLINE limit to 10 characters.

Author: vstinner

Lib/imaplib.py

@@ -1182,16 +1182,6 @@ def open(self, host = '', port = IMAP4_SSL_PORT):
  self.file = self.sslobj.makefile('rb')
 
 
- def read(self, size):
- """Read 'size' bytes from remote."""
- return self.file.read(size)
-
-
- def readline(self):
- """Read line from remote."""
- return self.file.readline()
-
-
  def send(self, data):
  """Send data to remote."""
  bytes = len(data)

Lib/test/test_imaplib.py

@@ -166,14 +166,18 @@ def handle(self):
 
 
  def test_linetoolong(self):
+ maxline = 10
+
  class TooLongHandler(SimpleIMAPHandler):
  def handle(self):
  # Send a very long response line
- self.wfile.write('* OK ' + imaplib._MAXLINE*'x' + '\r\n')
+ self.wfile.write('* OK ' + maxline * 'x' + '\r\n')
 
- with self.reaped_server(TooLongHandler) as server:
- self.assertRaises(imaplib.IMAP4.error,
- self.imap_class, *server.server_address)
+ with self.reaped_server(TooLongHandler) as server, \
+ support.swap_attr(imaplib, '_MAXLINE', maxline):
+ with self.assertRaisesRegexp(imaplib.IMAP4.error,
+ 'got more than 10 bytes'):
+ self.imap_class(*server.server_address)
 
 class ThreadedNetworkedTests(BaseThreadedNetworkedTests):
 
@@ -187,9 +191,6 @@ class ThreadedNetworkedTestsSSL(BaseThreadedNetworkedTests):
  server_class = SecureTCPServer
  imap_class = IMAP4_SSL
 
- def test_linetoolong(self):
- raise unittest.SkipTest("test is not reliable on 2.7; see issue 20118")
-
 
 class RemoteIMAPTest(unittest.TestCase):
  host = 'cyrus.andrew.cmu.edu'

Misc/NEWS.d/next/Security/2018-12-11-16-00-57.bpo-16039.PCj2n4.rst

@@ -0,0 +1,2 @@
+CVE-2013-1752: Change use of ``readline()`` in :class:`imaplib.IMAP4_SSL` to
+limit line length.