From: Serhiy Storchaka Date: Sun, 20 Oct 2013 14:02:10 +0000 (+0300) Subject: Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by X-Git-Tag: v3.4.0b1~571^2~49 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2acc456c334460a7430e386772d1c48b1e0e7c7f;p=python Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by limiting the call to readline(). Original patch by Michał Jastrzębski and Giampaolo Rodola. --- 2acc456c334460a7430e386772d1c48b1e0e7c7f diff --cc Lib/ftplib.py index fcd4b148c3,5e75e6d422..9538fec472 --- a/Lib/ftplib.py +++ b/Lib/ftplib.py @@@ -197,15 -197,14 +200,17 @@@ class FTP # Internal: return one line from the server, stripping CRLF. # Raise EOFError if the connection is closed def getline(self): - line = self.file.readline() + line = self.file.readline(self.maxline + 1) + if len(line) > self.maxline: + raise Error("got more than %d bytes" % self.maxline) if self.debugging > 1: print('*get*', self.sanitize(line)) - if not line: raise EOFError - if line[-2:] == CRLF: line = line[:-2] - elif line[-1:] in CRLF: line = line[:-1] + if not line: + raise EOFError + if line[-2:] == CRLF: + line = line[:-2] + elif line[-1:] in CRLF: + line = line[:-1] return line # Internal: get a response from the server, which may possibly @@@ -463,9 -451,10 +468,11 @@@ with self.transfercmd(cmd) as conn, \ conn.makefile('r', encoding=self.encoding) as fp: while 1: - line = fp.readline() + line = fp.readline(self.maxline + 1) + if len(line) > self.maxline: + raise Error("got more than %d bytes" % self.maxline) - if self.debugging > 2: print('*retr*', repr(line)) + if self.debugging > 2: + print('*retr*', repr(line)) if not line: break if line[-2:] == CRLF: @@@ -522,9 -503,10 +529,11 @@@ self.voidcmd('TYPE A') with self.transfercmd(cmd) as conn: while 1: - buf = fp.readline() + buf = fp.readline(self.maxline + 1) + if len(buf) > self.maxline: + raise Error("got more than %d bytes" % self.maxline) - if not buf: break + if not buf: + break if buf[-2:] != B_CRLF: if buf[-1] in B_CRLF: buf = buf[:-1] buf = buf + B_CRLF diff --cc Misc/NEWS index ca2acf527f,dfce8a754f..6fa733b9dc --- a/Misc/NEWS +++ b/Misc/NEWS @@@ -10,97 -12,80 +10,101 @@@ Projected release date: 2013-10-2 Core and Builtins ----------------- +- Issue #19301: Give classes and functions that are explicitly marked global a + global qualname. + - Issue #19279: UTF-7 decoder no more produces illegal strings. -- Fix macro expansion of _PyErr_OCCURRED(), and make sure to use it in at - least one place so as to avoid regressions. +- Issue #16612: Add "Argument Clinic", a compile-time preprocessor for + C files to generate argument parsing code. (See PEP 436.) -- Issue #19014: memoryview.cast() is now allowed on zero-length views. +- Issue #18810: Shift stat calls in importlib.machinery.FileFinder such that + the code is optimistic that if something exists in a directory named exactly + like the possible package being searched for that it's in actuality a + directory. -- Issue #19098: Prevent overflow in the compiler when the recursion limit is set - absurdly high. +- Issue #18416: importlib.machinery.PathFinder now treats '' as the cwd and + importlib.machinery.FileFinder no longer special-cases '' to '.'. This leads + to modules imported from cwd to now possess an absolute file path for + __file__ (this does not affect modules specified by path on the CLI but it + does affect -m/runpy). It also allows FileFinder to be more consistent by not + having an edge case. -- Issue #18942: sys._debugmallocstats() output was damaged on Windows. +- Issue #4555: All exported C symbols are now prefixed with either + "Py" or "_Py". -- Issue #18667: Add missing "HAVE_FCHOWNAT" symbol to posix._have_functions. +- Issue #19219: Speed up marshal.loads(), and make pyc files slightly + (5% to 10%) smaller. -- Issue #18368: PyOS_StdioReadline() no longer leaks memory when realloc() - fails. +- Issue #19221: Upgrade Unicode database to version 6.3.0. -- Issue #16741: Fix an error reporting in int(). +- Issue #16742: The result of the C callback PyOS_ReadlineFunctionPointer must + now be a string allocated by PyMem_RawMalloc() or PyMem_RawRealloc() (or NULL + if an error occurred), instead of a string allocated by PyMem_Malloc() or + PyMem_Realloc(). -- Issue #17899: Fix rare file descriptor leak in os.listdir(). +- Issue #19199: Remove ``PyThreadState.tick_counter`` field -- Issue #18552: Check return value of PyArena_AddPyObject() in - obj2ast_object(). +- Fix macro expansion of _PyErr_OCCURRED(), and make sure to use it in at + least one place so as to avoid regressions. -- Issue #18560: Fix potential NULL pointer dereference in sum(). +- Issue #19087: Improve bytearray allocation in order to allow cheap popping + of data at the front (slice deletion). -- Issue #15905: Fix theoretical buffer overflow in handling of sys.argv[0], - prefix and exec_prefix if the operation system does not obey MAXPATHLEN. +- Issue #19014: memoryview.cast() is now allowed on zero-length views. -- Issue #18344: Fix potential ref-leaks in _bufferedreader_read_all(). +- Issue #18690: memoryview is now automatically registered with + collections.abc.Sequence -- Issue #17872: Fix a segfault in marshal.load() when input stream returns - more bytes than requested. +- Issue #19078: memoryview now correctly supports the reversed builtin + (Patch by Claudiu Popa) -- Issue #18426: Fix NULL pointer dereference in C extension import when - PyModule_GetDef() returns an error. +Library +------- -- Issue #18328: Reorder ops in PyThreadState_Delete*() functions. Now the - tstate is first removed from TLS and then deallocated. ++- Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by ++ limiting the call to readline(). Original patch by Michał ++ Jastrzębski and Giampaolo Rodola. + -- Issue #18184: PyUnicode_FromFormat() and PyUnicode_FromFormatV() now raise - OverflowError when an argument of %c format is out of range. +- Issue #17087: Improved the repr for regular expression match objects. -- Issue #18137: Detect integer overflow on precision in float.__format__() - and complex.__format__(). +- Issue #18235: Fix the sysconfig variables LDSHARED and BLDSHARED under AIX. + Patch by David Edelsohn. -- Issue #18183: Fix various unicode operations on strings with large unicode - codepoints. +- Issue #18606: Add the new "statistics" module (PEP 450). Contributed + by Steven D'Aprano. -- Issue #18180: Fix ref leak in _PyImport_GetDynLoadWindows(). +- Issue #12866: The audioop module now supports 24-bit samples. -- Issue #18038: SyntaxError raised during compilation sources with illegal - encoding now always contains an encoding name. +- Issue #19254: Provide an optimized Python implementation of pbkdf2_hmac. -- Issue #17644: Fix a crash in str.format when curly braces are used in square - brackets. +- Issues #19201, #19222, #19223: Add "x" mode (exclusive creation) in opening + file to bz2, gzip and lzma modules. Patches by Tim Heaney and Vajrasky Kok. -- Issue #17983: Raise a SyntaxError for a ``global __class__`` statement in a - class body. +- Fix a reference count leak in _sre. -- Issue #17927: Frame objects kept arguments alive if they had been copied into - a cell, even if the cell was cleared. +- Issue #19262: Initial check in of the 'asyncio' package (a.k.a. Tulip, + a.k.a. PEP 3156). There are no docs yet, and the PEP is slightly + out of date with the code. This module will have *provisional* status + in Python 3.4. -Library -------- +- Issue #19276: Fixed the wave module on 64-bit big-endian platforms. -- Issue #16038: CVE-2013-1752: ftplib: Limit amount of data read by - limiting the call to readline(). Original patch by Michał - Jastrzębski and Giampaolo Rodola. +- Issue #19266: Rename the new-in-3.4 ``contextlib.ignore`` context manager + to ``contextlib.suppress`` in order to be more consistent with existing + descriptions of that operation elsewhere in the language and standard + library documentation (Patch by Zero Piraeus). -- Issue #18235: Fix the sysconfig variables LDSHARED and BLDSHARED under AIX. - Patch by David Edelsohn. +- Issue #18891: Completed the new email package (provisional) API additions + by adding new classes EmailMessage, MIMEPart, and ContentManager. -- Issue #19276: Fixed the wave module on 64-bit big-endian platforms. +- Issue #18281: Unused stat constants removed from `tarfile`. + +- Issue #18468: The re.split, re.findall, and re.sub functions and the group() + and groups() methods of match object now always return a string or a bytes + object. + +- Issue #18725: The textwrap module now supports truncating multiline text. - Issue #18776: atexit callbacks now display their full traceback when they raise an exception.