diff -r 96f08a22f562 Lib/poplib.py --- a/Lib/poplib.py Sat Feb 23 22:21:48 2013 -0500 +++ b/Lib/poplib.py Thu Oct 24 21:01:52 2013 +0200 @@ -40,6 +40,12 @@ LF = b'\n' CRLF = CR+LF +# maximal line length when calling readline(). This is to prevent +# reading arbitrary lenght lines. RFC 1939 limits POP3 line length to +# 512 characters, including CRLF. We have selected 2048 just to be on +# the safe side. +_MAXLINE = 2048 + class POP3: @@ -118,7 +124,10 @@ # Raise error_proto('-ERR EOF') if the connection is closed. def _getline(self): - line = self.file.readline() + line = self.file.readline(_MAXLINE + 1) + if len(line) > _MAXLINE: + raise error_proto('line too long') + if self._debugging > 1: print('*get*', repr(line)) if not line: raise error_proto('-ERR EOF') octets = len(line) diff -r 96f08a22f562 Lib/test/test_poplib.py --- a/Lib/test/test_poplib.py Sat Feb 23 22:21:48 2013 -0500 +++ b/Lib/test/test_poplib.py Thu Oct 24 21:01:52 2013 +0200 @@ -94,7 +94,7 @@ def cmd_list(self, arg): if arg: - self.push('+OK %s %s' %(arg, arg)) + self.push('+OK %s %s' % (arg, arg)) else: self.push('+OK') asynchat.async_chat.push(self, LIST_RESP) @@ -278,6 +278,10 @@ foo = self.client.retr('foo') self.assertEqual(foo, expected) + def test_too_long_lines(self): + self.assertRaises(poplib.error_proto, self.client._shortcmd, + 'echo +%s' % (3000 * 'a')) + def test_dele(self): self.assertOK(self.client.dele('foo'))