Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 2df8b39

Browse filesBrowse files
miss-islingtonserhiy-storchakagpshead
authored
[3.12] gh-119511: Fix a potential denial of service in imaplib (GH-119514) (GH-129356)
gh-119511: Fix a potential denial of service in imaplib (GH-119514) The IMAP4 client could consume an arbitrary amount of memory when trying to connect to a malicious server, because it read a "literal" data with a single read(size) call, and BufferedReader.read() allocates the bytes object of the specified size before reading. Now the IMAP4 client reads data by chunks, therefore the amount of used memory is limited by the amount of the data actually been sent by the server. (cherry picked from commit 735f25c) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com> Co-authored-by: Gregory P. Smith <greg@krypto.org>
1 parent 23faf5f commit 2df8b39
Copy full SHA for 2df8b39

File tree

3 files changed

+31
-1
lines changed
Filter options

3 files changed

+31
-1
lines changed

‎Lib/imaplib.py

Copy file name to clipboardExpand all lines: Lib/imaplib.py
+10-1Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,9 @@
5252
# search command can be quite large, so we now use 1M.
5353
_MAXLINE = 1000000
5454

55+
# Data larger than this will be read in chunks, to prevent extreme
56+
# overallocation.
57+
_SAFE_BUF_SIZE = 1 << 20
5558

5659
# Commands
5760

@@ -315,7 +318,13 @@ def open(self, host='', port=IMAP4_PORT, timeout=None):
315318

316319
def read(self, size):
317320
"""Read 'size' bytes from remote."""
318-
return self.file.read(size)
321+
cursize = min(size, _SAFE_BUF_SIZE)
322+
data = self.file.read(cursize)
323+
while cursize < size and len(data) == cursize:
324+
delta = min(cursize, size - cursize)
325+
data += self.file.read(delta)
326+
cursize += delta
327+
return data
319328

320329

321330
def readline(self):

‎Lib/test/test_imaplib.py

Copy file name to clipboardExpand all lines: Lib/test/test_imaplib.py
+14Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -901,6 +901,20 @@ def handle(self):
901901
self.assertRaises(imaplib.IMAP4.error,
902902
self.imap_class, *server.server_address)
903903

904+
def test_truncated_large_literal(self):
905+
size = 0
906+
class BadHandler(SimpleIMAPHandler):
907+
def handle(self):
908+
self._send_textline('* OK {%d}' % size)
909+
self._send_textline('IMAP4rev1')
910+
911+
for exponent in range(15, 64):
912+
size = 1 << exponent
913+
with self.subTest(f"size=2e{size}"):
914+
with self.reaped_server(BadHandler) as server:
915+
with self.assertRaises(imaplib.IMAP4.abort):
916+
self.imap_class(*server.server_address)
917+
904918
@threading_helper.reap_threads
905919
def test_simple_with_statement(self):
906920
# simplest call

‎Misc/NEWS.d/next/Security/2024-05-24-21-00-52.gh-issue-119511.jKrXQ8.rst

Copy file name to clipboard
+7Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
Fix a potential denial of service in the :mod:`imaplib` module. When connecting
2+
to a malicious server, it could cause an arbitrary amount of memory to be
3+
allocated. On many systems this is harmless as unused virtual memory is only a
4+
mapping, but if this hit a virtual address size limit it could lead to a
5+
:exc:`MemoryError` or other process crash. On unusual systems or builds where
6+
all allocated memory is touched and backed by actual ram or storage it could've
7+
consumed resources doing so until similarly crashing.

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.