Message 283294 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	xdegaye
Recipients	christian.heimes, martin.panter, serhiy.storchaka, xdegaye, zach.ware
Date	2016-12-15.12:51:34
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1481806294.67.0.0055580177102.issue28971@psf.upfronthosting.co.za>
In-reply-to

Content
It seems that the comment placed above the definition of _MAXLINE in the nntplib module is not correct: "RFC 3977 limits NNTP line length to 512 characters, including CRLF. We have selected 2048 just to be on the safe side." The 512 characters limit in RFC 3977 only applies to command lines and to the initial line of a response. RC 3977 says instead: "This document does not place any limit on the length of a line in a multi-line block. However, the standards that define the format of articles may do so." So I think _MAXLINE should have a large value (64 K ?) and its semantic is that a line whose length is above that value is considered by nntplib as a Dos attack (and not a protocol violation). In that case nntplib should behave in consequence and prevent any further reads from that connection (either by closing the connection or raising an exception on each of these attempts). IMHO this should be handled in the same issue because it is one single problem, and this may possibly be handled in two different changesets.

It seems that the comment placed above the definition of _MAXLINE in the nntplib module is not correct:
    "RFC 3977 limits NNTP line length to 512 characters, including CRLF. We have selected 2048 just to be on the safe side."
The 512 characters limit in RFC 3977 only applies to command lines and to the initial line of a response.

RC 3977 says instead:
    "This document does not place any limit on the length of a line in a multi-line block.  However, the standards that define the format of articles may do so."

So I think _MAXLINE should have a large value (64 K ?) and its semantic is that a line whose length is above that value is considered by nntplib as a Dos attack (and not a protocol violation). In that case nntplib should behave in consequence and prevent any further reads from that connection (either by closing the connection or raising an exception on each of these attempts). IMHO this should be handled in the same issue because it is one single problem, and this may possibly be handled in two different changesets.

History
Date	User	Action	Args
2016-12-15 12:51:34	xdegaye	set	recipients: + xdegaye, christian.heimes, martin.panter, zach.ware, serhiy.storchaka
2016-12-15 12:51:34	xdegaye	set	messageid: <1481806294.67.0.0055580177102.issue28971@psf.upfronthosting.co.za>
2016-12-15 12:51:34	xdegaye	link	issue28971 messages
2016-12-15 12:51:34	xdegaye	create