Skip to content

poplib.py: Missing integer parsing validation causes client crash on invalid server response #130637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
NErinola opened this issue Feb 27, 2025 · 1 comment · Fixed by #130646
Closed

poplib.py: Missing integer parsing validation causes client crash on invalid server response #130637

NErinola opened this issue Feb 27, 2025 · 1 comment · Fixed by #130646
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@NErinola
Copy link

NErinola commented Feb 27, 2025
edited by bedevere-app bot
Loading

Crash report

What happened?

In poplib.py at line 229 the code attempts to convert a server response to an integer without first verifying that the response is numeric. If the server returns a non-numeric response, the int() conversion fails causing the client to crash.

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

No response

Linked PRs
@NErinola NErinola added the type-crash A hard crash of the interpreter, possibly with a core dump label Feb 27, 2025
Mr-Sunglasses added a commit to Mr-Sunglasses/cpython that referenced this issue Feb 27, 2025
@Mr-Sunglasses
pythongh-130637: Add validation for numeric response data in stat()
18dfd83 
… method
@Mr-Sunglasses Mr-Sunglasses mentioned this issue Feb 27, 2025
Merged
@encukou encukou added type-bug An unexpected behavior, bug, or error stdlib Python modules in the Lib dir and removed type-crash A hard crash of the interpreter, possibly with a core dump labels Feb 28, 2025
@encukou
Copy link
Member

encukou commented Feb 28, 2025

This is a wrong exception (ValueError), not a hard crash, right?

ericvsmith added a commit that referenced this issue Mar 2, 2025
@Mr-Sunglasses @ericvsmith
gh-130637: Add validation for numeric response data in stat() method (
a42168d 
#130646)

Co-authored-by: Eric V. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Mar 2, 2025
@Mr-Sunglasses @ericvsmith @miss-islington
pythongh-130637: Add validation for numeric response data in stat()
bbab776 
… method (pythonGH-130646)

(cherry picked from commit a42168d)

Co-authored-by: Kanishk Pachauri <[email protected]>
Co-authored-by: Eric V. Smith <[email protected]>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Mar 2, 2025
@Mr-Sunglasses @ericvsmith @miss-islington
pythongh-130637: Add validation for numeric response data in stat()
9148113 
… method (pythonGH-130646)

(cherry picked from commit a42168d)

Co-authored-by: Kanishk Pachauri <[email protected]>
Co-authored-by: Eric V. Smith <[email protected]>
This was referenced Mar 2, 2025
Merged
Merged
terryjreedy pushed a commit that referenced this issue Mar 2, 2025
@miss-islington @Mr-Sunglasses @ericvsmith
[3.12] gh-130637: Add validation for numeric response data in `stat()…
d9ca98a 
…` method (GH-130646) (#130764)

gh-130637: Add validation for numeric response data in `stat()` method (GH-130646)
(cherry picked from commit a42168d)

Co-authored-by: Kanishk Pachauri <[email protected]>
Co-authored-by: Eric V. Smith <[email protected]>
terryjreedy pushed a commit that referenced this issue Mar 2, 2025
@miss-islington @Mr-Sunglasses @ericvsmith
[3.13] gh-130637: Add validation for numeric response data in `stat()…
e6dfa9d 
…` method (GH-130646) (#130763)

gh-130637: Add validation for numeric response data in `stat()` method (GH-130646)
(cherry picked from commit a42168d)

Co-authored-by: Kanishk Pachauri <[email protected]>
Co-authored-by: Eric V. Smith <[email protected]>
seehwan pushed a commit to seehwan/cpython that referenced this issue Apr 16, 2025
@Mr-Sunglasses @ericvsmith @seehwan80
pythongh-130637: Add validation for numeric response data in stat()
a00022c 
… method (python#130646)

Co-authored-by: Eric V. Smith <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-130637: Add validation for numeric response data in stat() method Mr-Sunglasses/cpython
2 participants
@encukou @NErinola