launchpad-reviewers team mailing list archive

[William Grant <me@xxxxxxxxxxxxxxxxxx>]

William Grant has proposed merging lp:~wgrant/launchpad/2.7.9-poplib-maxline into lp:launchpad.

Commit message:
Monkeypatch poplib._MAXLINE from 2048 bytes to 10MB to work around http://bugs.python.org/issue23906.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~wgrant/launchpad/2.7.9-poplib-maxline/+merge/272068

Monkeypatch poplib._MAXLINE from 2048 bytes to 10MB.

Python 2.7.9 and Ubuntu security updates limit POP3 response lines to 2KiB, despite the fact that the server isn't allowed to break email lines that might be longer than that. The fix was intended to prevent malicious servers from DoSing by memory exhaustion, but instead an innocent server DoSes by crashing.

http://bugs.python.org/issue23906 is the upstream regression bug.

This is currently worked around by holding python2.7{,-minimal,-dev} on loganberry.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~wgrant/launchpad/2.7.9-poplib-maxline into lp:launchpad.

=== modified file 'lib/lp/services/mail/mailbox.py'
--- lib/lp/services/mail/mailbox.py	2015-07-08 16:05:11 +0000
+++ lib/lp/services/mail/mailbox.py	2015-09-23 07:58:48 +0000
@@ -23,6 +23,11 @@
 
 from lp.services.mail import stub
 
+# XXX wgrant 2015-09-21: A Python 2.7 security update set the line
+# length limit to 2048 bytes, which real POP3 servers often exceed for
+# various reasons. http://bugs.python.org/issue23906
+poplib._MAXLINE = 10000000
+
 
 class MailBoxError(Exception):
     """Indicates that some went wrong while interacting with the mail box."""