pythongh-119511: Fix OOM vulnerability in imaplib

The IMAP4 client could consume an arbitrary amount of memory when trying to connent to a malicious server, because it read a "literal" data with a single read(size) call, and BufferedReader.read() allocates the bytes object of the specified size before reading. Now the IMAP4 client reads data by chunks, therefore the amount of used memory is limited by the amount of the data actually been sent by the server.
serhiy-storchaka · May 24, 2024 · 6322049 · 6322049
1 parent b48a3db
commit 6322049
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/Lib/imaplib.py b/Lib/imaplib.py
@@ -52,6 +52,9 @@
 # search command can be quite large, so we now use 1M.
 _MAXLINE = 1000000
 
+# Data larger than this will be read in chunks, to prevent extreme
+# overallocation.
+_SAFE_BUF_SIZE = 1 << 20
 
 #       Commands
 
@@ -315,6 +318,13 @@ def open(self, host='', port=IMAP4_PORT, timeout=None):
 
     def read(self, size):
         """Read 'size' bytes from remote."""
+        cursize = min(size, _SAFE_BUF_SIZE)
+        data = self.file.read(cursize)
+        while cursize < size and len(data) == cursize:
+            delta = min(cursize, size - cursize)
+            data += self.file.read(delta)
+            cursize += delta
+        return data
         return self.file.read(size)
 
 

diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
@@ -907,6 +907,18 @@ def handle(self):
             self.assertRaises(imaplib.IMAP4.error,
                               self.imap_class, *server.server_address)
 
+    def test_truncated_large_literal(self):
+        class BadHandler(SimpleIMAPHandler):
+            def handle(self):
+                self._send_textline('* OK {%d}' % size)
+                self._send_textline('IMAP4rev1')
+
+        for w in range(15, 64):
+            size = 1 << w
+            with self.reaped_server(BadHandler) as server:
+                self.assertRaises(imaplib.IMAP4.abort,
+                                  self.imap_class, *server.server_address)
+
     @threading_helper.reap_threads
     def test_simple_with_statement(self):
         # simplest call

diff --git a/Misc/NEWS.d/next/Security/2024-05-24-21-00-52.gh-issue-119511.jKrXQ8.rst b/Misc/NEWS.d/next/Security/2024-05-24-21-00-52.gh-issue-119511.jKrXQ8.rst
@@ -0,0 +1,2 @@
+Fix a vulnerability in the :mod:`imaplib` module, when connecting to a
+malicious server could cause an arbitrary amount of memory to be consumed.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Fix a vulnerability in the :mod:`imaplib` module, when connecting to a
		malicious server could cause an arbitrary amount of memory to be consumed.