.. _httplib-unlimited-read:

httplib unlimited read
======================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2013-1752>`_.

Limit the HTTP header readline.

Dates:

* Disclosure date: **2009-08-28** (Python issue bpo-6791 reported)
* `Red Hat impact <https://access.redhat.com/security/updates/classification/>`_: Moderate

Fixed In
--------

* Python **2.7.2** (2011-06-11) fixed by `commit d7b6ac6 (branch 2.7) <https://github.com/python/cpython/commit/d7b6ac66c1b81d13f2efa8d9ebba69e17c158c0a>`_ (2010-12-18)
* Python **3.1.4** (2011-06-11) fixed by `commit ff1bbba (branch 3.2) <https://github.com/python/cpython/commit/ff1bbba92aad261df1ebd8fd8cc189c104e113b0>`_ (2010-12-18)
* Python **3.2.0** (2011-02-20) fixed by `commit 5466bf1 (branch 3.3) <https://github.com/python/cpython/commit/5466bf1c94d38e75bc053b0cfc163e2f948fe345>`_ (2010-12-18)

Python issue
------------

httplib read status memory usage.

* Python issue: `bpo-6791 <https://bugs.python.org/issue6791>`_
* Creation date: 2009-08-28
* Reporter: sumar

CVE-2013-1752
-------------

** REJECT ** Various versions of Python do not properly restrict readline calls, which allows remote attackers to cause a denial of service (memory consumption) via a long string, related to (1) httplib - fixed in 2.7.4, 2.6.9, and 3.3.3; (2) ftplib - fixed in 2.7.6, 2.6.9, 3.3.3; (3) imaplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; (4) nntplib - fixed in 2.7.6, 2.6.9, 3.3.3; (5) poplib - not yet fixed in 2.7.x, fixed in 2.6.9, 3.3.3; and (6) smtplib - not yet fixed in 2.7.x, fixed in 2.6.9, not yet fixed in 3.3.x. NOTE: this was REJECTed because it is incompatible with CNT1 "Independently Fixable" in the CVE Counting Decisions.

* CVE ID: `CVE-2013-1752 <https://nvd.nist.gov/vuln/detail/CVE-2013-1752/>`_
* Published: 2019-06-03
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2009-08-28** as reference:

* 2009-08-28: `Python issue bpo-6791 <https://bugs.python.org/issue6791>`_ reported by sumar
* 2010-12-18 (**+477 days**): `commit 5466bf1 (branch 3.3) <https://github.com/python/cpython/commit/5466bf1c94d38e75bc053b0cfc163e2f948fe345>`_
* 2010-12-18 (**+477 days**): `commit d7b6ac6 (branch 2.7) <https://github.com/python/cpython/commit/d7b6ac66c1b81d13f2efa8d9ebba69e17c158c0a>`_
* 2010-12-18 (**+477 days**): `commit ff1bbba (branch 3.2) <https://github.com/python/cpython/commit/ff1bbba92aad261df1ebd8fd8cc189c104e113b0>`_
* 2011-02-20: Python 3.2.0 released
* 2011-06-11 (**+652 days**): Python 2.7.2 released
* 2011-06-11 (**+652 days**): Python 3.1.4 released
* 2019-06-03 (**+3566 days**): CVE-2013-1752 published