Skip to content

[3.13] gh-130637: Add validation for numeric response data in stat() method (GH-130646) #130763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 2, 2025
Merged

[3.13] gh-130637: Add validation for numeric response data in stat() method (GH-130646) #130763

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bbab776
gh-130637: Add validation for numeric response data in `stat()` metho…
Mr-Sunglasses Mar 2, 2025
fc9aab9
Merge branch '3.13' into backport-a42168d-3.13
terryjreedy Mar 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions Lib/poplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,8 +226,19 @@ def stat(self):
retval = self._shortcmd('STAT')
rets = retval.split()
if self._debugging: print('*stat*', repr(rets))
numMessages = int(rets[1])
sizeMessages = int(rets[2])

# Check if the response has enough elements
# RFC 1939 requires at least 3 elements (+OK, message count, mailbox size)
# but allows additional data after the required fields
if len(rets) < 3:
raise error_proto("Invalid STAT response format")

try:
numMessages = int(rets[1])
sizeMessages = int(rets[2])
except ValueError:
raise error_proto("Invalid STAT response data: non-numeric values")

return (numMessages, sizeMessages)


Expand Down
31 changes: 31 additions & 0 deletions Lib/test/test_poplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,37 @@ def test_pass_(self):
def test_stat(self):
self.assertEqual(self.client.stat(), (10, 100))

original_shortcmd = self.client._shortcmd
def mock_shortcmd_invalid_format(cmd):
if cmd == 'STAT':
return b'+OK'
return original_shortcmd(cmd)

self.client._shortcmd = mock_shortcmd_invalid_format
with self.assertRaises(poplib.error_proto):
self.client.stat()

def mock_shortcmd_invalid_data(cmd):
if cmd == 'STAT':
return b'+OK abc def'
return original_shortcmd(cmd)

self.client._shortcmd = mock_shortcmd_invalid_data
with self.assertRaises(poplib.error_proto):
self.client.stat()

def mock_shortcmd_extra_fields(cmd):
if cmd == 'STAT':
return b'+OK 1 2 3 4 5'
return original_shortcmd(cmd)

self.client._shortcmd = mock_shortcmd_extra_fields

result = self.client.stat()
self.assertEqual(result, (1, 2))

self.client._shortcmd = original_shortcmd

def test_list(self):
self.assertEqual(self.client.list()[1:],
([b'1 1', b'2 2', b'3 3', b'4 4', b'5 5'],
Expand Down
1 change: 1 addition & 0 deletions Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add validation for numeric response data in poplib.POP3.stat() method
Loading