This bug is similar to #16037 and a modified copy of #16038.

The imaplib module doesn't limit the amount of read data in its call to readline(). An erroneous or malicious IMAP server can trick the imaplib module to consume large amounts of memory.

Suggestion:
The imaplib module should be modified to use limited readline() with _MAXLINE like the httplib module.

RFC 3501 and 2060 (IMAP 4rev1) don't specify a line length


RFC 2683 says:

  A client should limit the length of the command lines it
  generates to approximately 1000 octets.

  For its part, a server should allow for a command line of at
  least 8000 octets.

Some config files and code have values between 2k and 64k, usually around 8k to 10k, e.g.

 UW and Panda IMAP have a limit of 10,000 octets which is far
 more than what anything is ever likely to use.

CVE-2013-1752  Unbound readline() DoS vulnerabilities in Python stdlib

I'm uploading my first patch. 
Heavily based on the related issues for ftplib and poplib.
Need help with review and a few questions...

Q1: Is the error Exception the right way to handle the "breach" (disconnects client?) or is there a better way? Like a 'BAD' response...

Q2: I'm not sure how to best modify the test_imaplib for this patch. I'm guessing a make_server where the client gets MAXLINE+1 bytes of data and validates exception. But it's above my abilities right now...

I welcome any input, thanks. 

note: patch seems to apply to 2.7, 3.2, 3.3, 3.4

Not blocking 2.7.4 as discussed on mailing list.

blocker for 2.6.9

Updated version of the patch against 2.6 that adds a test.  Thanks for the fix, Emil!

Looks good for 2.6.  The NEWS file hunk doesn't apply, but I'll fix that when I commit this to 2.6.

New changeset 4190568ceda0 by Barry Warsaw in branch '2.6':
- Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to
http://hg.python.org/cpython/rev/4190568ceda0

Since the merge 2.6 -> 2.7 did not apply cleanly, and had other problems. I null merged the 2.6 changes.  I'll leave it to Benjamin to work out whatever patches 2.7 needs.

Ping.  Please fix before "beta 1".

New changeset 4b0364fc5711 by Georg Brandl in branch '3.3':
Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
http://hg.python.org/cpython/rev/4b0364fc5711

Also merged to default.

Why is this issue still open? The issue was fixed in Python 2.6.9. Why is the issue a release blocker? The issue was also fixed in the future Python 3.4 (in default).

Presumably because it has not been fixed in 2.7.

"Since the merge 2.6 -> 2.7 did not apply cleanly, and had other problems. I null merged the 2.6 changes.  I'll leave it to Benjamin to work out whatever patches 2.7 needs."

So Benjamin, is there a reason to not fix this security vulnerability in Python 2.7?

There's no reason not to fix it assuming the patch is good...

Applied to 2.7 in dd906f4ab923.

And we're getting test failures in the SSL version of the test.  No similar failure reports in the tracker, and the same test has been running on the Python3 branch for a while now.

New changeset d7ae948d9eee by R David Murray in branch '2.7':
#16039/#20118: temporarily skip failing imaplib SSL test.
http://hg.python.org/cpython/rev/d7ae948d9eee

Reopen, a test is failing.

I opened a new issue for the failing test: issue 20118, so I don't see a reason to keep this open.

"I opened a new issue for the failing test: issue 20118, so I don't see a reason to keep this open."

Ok, I wasn't aware of this issue.

New changeset 5d1c03316af7 by Georg Brandl in branch '3.2':
Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
https://hg.python.org/cpython/rev/5d1c03316af7

> New changeset 5d1c03316af7 by Georg Brandl in branch '3.2':
> Issue #16039: CVE-2013-1752: Change use of readline in imaplib module to limit
> https://hg.python.org/cpython/rev/5d1c03316af7

I'm not sure that this change is correct, the test failed on Windows. Or maybe, it's just an issue with test test?

http://buildbot.python.org/all/builders/AMD64%20Windows7%20SP1%203.x/builds/5168/steps/test/logs/stdio

======================================================================
ERROR: test_connect (test.test_smtpnet.SmtpSSLTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "C:\buildbot.python.org\3.x.kloth-win64\build\lib\test\test_smtpnet.py", line 16, in test_connect
    server = smtplib.SMTP_SSL(self.testServer, self.remotePort)
  File "C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py", line 862, in __init__
    SMTP.__init__(self, host, port, local_hostname, timeout)
  File "C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py", line 260, in __init__
    (code, msg) = self.connect(host, port)
  File "C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py", line 321, in connect
    (code, msg) = self.getreply()
  File "C:\buildbot.python.org\3.x.kloth-win64\build\lib\smtplib.py", line 367, in getreply
    line = self.file.readline(_MAXLINE + 1)
TypeError: readline() takes exactly 1 positional argument (2 given)

Let me check that.

This error is rather related to issue #16042, not issue #16039.

New changeset 16d63202af35dadd652a5e3eae687ea709e95b11 by Victor Stinner in branch '2.7':
bpo-16039: CVE-2013-1752: Limit imaplib.IMAP4_SSL.readline() (GH-11120)
https://github.com/python/cpython/commit/16d63202af35dadd652a5e3eae687ea709e95b11

I added imaplib.IMAP4_SSL.readline() to my python-security website:

https://python-security.readthedocs.io/vuln/cve-2013-1752_cve-2013-1752_limit_imaplib.imap4_ssl.readline.html

I'm now waiting for a Python 2.7.16 release.