Issue 16040: nntplib: unlimited readline() from connection

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/60244

classification

Title:	nntplib: unlimited readline() from connection
Type:	resource usage	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.1, Python 3.2

process

Dependencies:	Superseder:
Status:	closed	Resolution:	fixed
Assigned To:	christian.heimes	Nosy List:	Arfrever, barry, benjamin.peterson, christian.heimes, francismb, georg.brandl, giampaolo.rodola, hynek, larry, nailor, python-dev, terry.reedy
Priority:	release blocker	Keywords:	patch

Created on 2012年09月25日 10:38 by christian.heimes, last changed 2022年04月11日 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
issue16040_py26.patch	nailor, 2013年09月30日 21:02	review
issue16040_py26_v2.patch	nailor, 2013年09月30日 21:43	review
issue16040_py32.patch	nailor, 2013年10月24日 19:58	review

Messages (23)
msg171243 - (view)	Author: Christian Heimes (christian.heimes) * (Python committer)	Date: 2012年09月25日 10:38
This bug is similar to #16037 and a modified copy of #16038. The nntplib module doesn't limit the amount of read data in its call to readline(). An erroneous or malicious news server can trick the nntplib module to consume large amounts of memory. Suggestion: The nntplib module should be modified to use limited readline() with _MAXLINE like the httplib module.
msg172291 - (view)	Author: Hynek Schlawack (hynek) * (Python committer)	Date: 2012年10月07日 11:05
Any suggestions on the value for _MAXLINE or just steal the 64k from httplib?
msg182190 - (view)	Author: Christian Heimes (christian.heimes) * (Python committer)	Date: 2013年02月15日 23:42
RFC 3977 specifies: Command lines MUST NOT exceed 512 octets, which includes the terminating CRLF pair. However NNTP also have multi-line data blocks. The RFC says nothing about the maximum length of a data line. We may need two limits here, one for command lines (2048 perhaps) and one much larger for data lines (a couple of MB?). Can somebody check other implementations?
msg182197 - (view)	Author: Christian Heimes (christian.heimes) * (Python committer)	Date: 2013年02月15日 23:59
CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib
msg185059 - (view)	Author: Benjamin Peterson (benjamin.peterson) * (Python committer)	Date: 2013年03月23日 14:45
Not blocking 2.7.4 as discussed on mailing list.
msg196859 - (view)	Author: Barry A. Warsaw (barry) * (Python committer)	Date: 2013年09月03日 18:34
blocker for 2.6.9
msg197781 - (view)	Author: Barry A. Warsaw (barry) * (Python committer)	Date: 2013年09月15日 16:21
Any more thoughts on this bug w.r.t. 2.6.9? It seems that without a patch for any version of Python, and with 2.6.9 coming soon, a fix for this just won't make it into 2.6.9. That doesn't bother me too much, and I'm willing to just knock this off the 2.6.9 radar unless objections (accompanied by patches? :) are raised.
msg198739 - (view)	Author: Jyrki Pulliainen (nailor) *	Date: 2013年09月30日 21:02
Regarding the implementation: all commands (even those returning multiple lines), use the same readline method. I've attached a patch for 2.6, working on the 2.7+ too.
msg198740 - (view)	Author: Barry A. Warsaw (barry) * (Python committer)	Date: 2013年09月30日 21:07
Looks great, thanks! I'll apply this to 2.6.9 but let others forward port it to 2.7.
msg198741 - (view)	Author: Jyrki Pulliainen (nailor) *	Date: 2013年09月30日 21:12
The patch for 2.6 applies cleanly on 2.7 too and the tests pass there
msg198742 - (view)	Author: Jyrki Pulliainen (nailor) *	Date: 2013年09月30日 21:43
Did a slight change to the patch, making the too long line to look like a valid line so that it does not raise a NNTPProtocolError otherwise. Thanks to Barry for catching this :) I also wonder if there should be data error risen instead? Current docstrings of the errors are not that well fit.
msg198745 - (view)	Author: Barry A. Warsaw (barry) * (Python committer)	Date: 2013年09月30日 22:44
On Sep 30, 2013, at 09:43 PM, Jyrki Pulliainen wrote: >I also wonder if there should be data error risen instead? Current docstrings >of the errors are not that well fit. I guess a data error makes the least nonsense here, so I'll change it over to that. I'm happy to entertain other thoughts (except for introducing a new exception of course) before 2.6.9 final.
msg198746 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2013年09月30日 23:10
New changeset 731abf7834c4 by Barry Warsaw in branch '2.6': - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to http://hg.python.org/cpython/rev/731abf7834c4 New changeset 36680a7c0e22 by Barry Warsaw in branch '2.7': - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to http://hg.python.org/cpython/rev/36680a7c0e22
msg198777 - (view)	Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * (Python triager)	Date: 2013年10月01日 13:44
> New changeset 731abf7834c4 by Barry Warsaw in branch '2.6': > - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to > http://hg.python.org/cpython/rev/731abf7834c4 > > New changeset 36680a7c0e22 by Barry Warsaw in branch '2.7': > - Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to > http://hg.python.org/cpython/rev/36680a7c0e22 s/lenght/length/ in new comment in Lib/nntplib.py
msg198791 - (view)	Author: Barry A. Warsaw (barry) * (Python committer)	Date: 2013年10月01日 15:40
On Oct 01, 2013, at 01:44 PM, Arfrever Frehtes Taifersar Arahesis wrote: >s/lenght/length/ in new comment in Lib/nntplib.py Fixed, thanks.
msg200351 - (view)	Author: Larry Hastings (larry) * (Python committer)	Date: 2013年10月19日 01:23
Ping. Please fix before "beta 1".
msg201172 - (view)	Author: Jyrki Pulliainen (nailor) *	Date: 2013年10月24日 19:58
...and here's a patch for 3.2
msg201425 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2013年10月27日 06:39
New changeset fc88bd80d925 by Georg Brandl in branch '3.3': Issue #16040: CVE-2013-1752: nntplib: Limit maximum line lengths to 2048 to http://hg.python.org/cpython/rev/fc88bd80d925
msg201428 - (view)	Author: Georg Brandl (georg.brandl) * (Python committer)	Date: 2013年10月27日 06:45
Also merged to default.
msg222501 - (view)	Author: Francis MB (francismb) *	Date: 2014年07月07日 19:27
Just a small detail on the patches, they seem to have a typo (lenght vs. length) on the line: >> reading arbitrary lenght lines. RFC 3977 limits NNTP line length to
msg222625 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2014年07月09日 17:16
New changeset 5be778fec115 by Berker Peksag in branch '3.4': Issues #21948 and #16040: Fix typos. http://hg.python.org/cpython/rev/5be778fec115 New changeset 051cc4f60384 by Berker Peksag in branch 'default': Issues #21948 and #16040: Merge with 3.4. http://hg.python.org/cpython/rev/051cc4f60384
msg226118 - (view)	Author: Terry J. Reedy (terry.reedy) * (Python committer)	Date: 2014年08月30日 03:54
3.1 is finished and Georg decided to skip 3.2.
msg229122 - (view)	Author: Roundup Robot (python-dev) (Python triager)	Date: 2014年10月12日 07:17
New changeset 985bda4edf9d by Georg Brandl in branch '3.2': #16040: fix unlimited read from connection in nntplib. https://hg.python.org/cpython/rev/985bda4edf9d

History
Date	User	Action	Args
2022年04月11日 14:57:36	admin	set	github: 60244
2014年10月12日 07:17:06	python-dev	set	messages: + msg229122
2014年08月30日 03:54:57	terry.reedy	set	status: open -> closed nosy: + terry.reedy messages: + msg226118 resolution: fixed stage: needs patch -> resolved
2014年07月09日 17:16:33	python-dev	set	messages: + msg222625
2014年07月07日 19:27:21	francismb	set	nosy: + francismb messages: + msg222501
2013年10月27日 06:45:50	georg.brandl	set	messages: + msg201428 versions: - Python 3.3, Python 3.4
2013年10月27日 06:39:04	python-dev	set	messages: + msg201425
2013年10月24日 19:58:14	nailor	set	files: + issue16040_py32.patch messages: + msg201172
2013年10月19日 01:23:16	larry	set	messages: + msg200351
2013年10月01日 15:40:03	barry	set	messages: + msg198791
2013年10月01日 13:44:54	Arfrever	set	messages: + msg198777
2013年09月30日 23:11:57	barry	set	versions: - Python 2.7
2013年09月30日 23:11:23	barry	set	versions: - Python 2.6
2013年09月30日 23:10:13	python-dev	set	nosy: + python-dev messages: + msg198746
2013年09月30日 22:44:21	barry	set	messages: + msg198745
2013年09月30日 21:43:48	nailor	set	files: + issue16040_py26_v2.patch messages: + msg198742
2013年09月30日 21:12:58	nailor	set	messages: + msg198741
2013年09月30日 21:07:44	barry	set	messages: + msg198740
2013年09月30日 21:02:23	nailor	set	files: + issue16040_py26.patch nosy: + nailor messages: + msg198739 keywords: + patch
2013年09月15日 19:44:01	Arfrever	set	versions: + Python 2.6, Python 3.1
2013年09月15日 16:21:49	barry	set	messages: + msg197781
2013年09月03日 18:34:01	barry	set	priority: critical -> release blocker nosy: + barry messages: + msg196859
2013年03月23日 14:45:57	benjamin.peterson	set	priority: release blocker -> critical messages: + msg185059
2013年02月22日 23:47:40	Arfrever	set	nosy: + Arfrever
2013年02月15日 23:59:15	christian.heimes	set	messages: + msg182197
2013年02月15日 23:42:22	christian.heimes	set	messages: + msg182190 stage: needs patch
2013年02月04日 17:11:21	christian.heimes	set	priority: critical -> release blocker nosy: + larry, benjamin.peterson, georg.brandl
2013年01月21日 11:37:14	giampaolo.rodola	set	nosy: + giampaolo.rodola
2013年01月20日 14:38:02	christian.heimes	set	priority: normal -> critical assignee: christian.heimes versions: + Python 3.4
2012年10月07日 11:05:26	hynek	set	messages: + msg172291
2012年09月26日 04:27:41	hynek	set	nosy: + hynek
2012年09月25日 10:38:44	christian.heimes	create

homepage