nntplib: unlimited readline() from connection #60244
Comments
|
This bug is similar to bpo-16037 and a modified copy of bpo-16038. The nntplib module doesn't limit the amount of read data in its call to readline(). An erroneous or malicious news server can trick the nntplib module to consume large amounts of memory. Suggestion: |
tiran
added
stdlib
|
Any suggestions on the value for _MAXLINE or just steal the 64k from httplib? |
|
RFC 3977 specifies: Command lines MUST NOT exceed 512 octets, which includes However NNTP also have multi-line data blocks. The RFC says nothing about the maximum length of a data line. We may need two limits here, one for command lines (2048 perhaps) and one much larger for data lines (a couple of MB?). Can somebody check other implementations? |
|
CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib |
|
Not blocking 2.7.4 as discussed on mailing list. |
|
blocker for 2.6.9 |
|
Any more thoughts on this bug w.r.t. 2.6.9? It seems that without a patch for any version of Python, and with 2.6.9 coming soon, a fix for this just won't make it into 2.6.9. That doesn't bother me too much, and I'm willing to just knock this off the 2.6.9 radar unless objections (accompanied by patches? :) are raised. |
|
Regarding the implementation: all commands (even those returning multiple lines), use the same readline method. I've attached a patch for 2.6, working on the 2.7+ too. |
|
Looks great, thanks! I'll apply this to 2.6.9 but let others forward port it to 2.7. |
|
The patch for 2.6 applies cleanly on 2.7 too and the tests pass there |
|
Did a slight change to the patch, making the too long line to look like a valid line so that it does not raise a NNTPProtocolError otherwise. Thanks to Barry for catching this :) I also wonder if there should be data error risen instead? Current docstrings of the errors are not that well fit. |
|
On Sep 30, 2013, at 09:43 PM, Jyrki Pulliainen wrote:
I guess a data error makes the least nonsense here, so I'll change it over to |
|
New changeset 731abf7834c4 by Barry Warsaw in branch '2.6':
New changeset 36680a7c0e22 by Barry Warsaw in branch '2.7':
|
s/lenght/length/ in new comment in Lib/nntplib.py |
|
On Oct 01, 2013, at 01:44 PM, Arfrever Frehtes Taifersar Arahesis wrote:
Fixed, thanks. |
|
Ping. Please fix before "beta 1". |
|
...and here's a patch for 3.2 |
|
New changeset fc88bd80d925 by Georg Brandl in branch '3.3': |
|
Also merged to default. |
|
Just a small detail on the patches, they seem to have a typo
|
|
New changeset 5be778fec115 by Berker Peksag in branch '3.4': New changeset 051cc4f60384 by Berker Peksag in branch 'default': |
|
3.1 is finished and Georg decided to skip 3.2. |
|
New changeset 985bda4edf9d by Georg Brandl in branch '3.2': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: