[3.12] gh-130637: Add validation for numeric response data in stat() method (GH-130646) (#130764)

miss-islington · Mr-Sunglasses · ericvsmith · web-flow · commit d9ca98a92d8f · 2025-03-02T15:05:46.000-05:00
gh-130637: Add validation for numeric response data in `stat()` method (GH-130646) (cherry picked from commit a42168d) Co-authored-by: Kanishk Pachauri <itskanishkp.py@gmail.com> Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
diff --git a/Lib/poplib.py b/Lib/poplib.py
@@ -226,8 +226,19 @@ def stat(self):
         retval = self._shortcmd('STAT')
         rets = retval.split()
         if self._debugging: print('*stat*', repr(rets))
-        numMessages = int(rets[1])
-        sizeMessages = int(rets[2])
+
+        # Check if the response has enough elements
+        # RFC 1939 requires at least 3 elements (+OK, message count, mailbox size)
+        # but allows additional data after the required fields
+        if len(rets) < 3:
+            raise error_proto("Invalid STAT response format")
+
+        try:
+            numMessages = int(rets[1])
+            sizeMessages = int(rets[2])
+        except ValueError:
+            raise error_proto("Invalid STAT response data: non-numeric values")
+
         return (numMessages, sizeMessages)
 
 
diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
@@ -289,6 +289,37 @@ def test_pass_(self):
     def test_stat(self):
         self.assertEqual(self.client.stat(), (10, 100))
 
+        original_shortcmd = self.client._shortcmd
+        def mock_shortcmd_invalid_format(cmd):
+            if cmd == 'STAT':
+                return b'+OK'
+            return original_shortcmd(cmd)
+
+        self.client._shortcmd = mock_shortcmd_invalid_format
+        with self.assertRaises(poplib.error_proto):
+            self.client.stat()
+
+        def mock_shortcmd_invalid_data(cmd):
+            if cmd == 'STAT':
+                return b'+OK abc def'
+            return original_shortcmd(cmd)
+
+        self.client._shortcmd = mock_shortcmd_invalid_data
+        with self.assertRaises(poplib.error_proto):
+            self.client.stat()
+
+        def mock_shortcmd_extra_fields(cmd):
+            if cmd == 'STAT':
+                return b'+OK 1 2 3 4 5'
+            return original_shortcmd(cmd)
+
+        self.client._shortcmd = mock_shortcmd_extra_fields
+
+        result = self.client.stat()
+        self.assertEqual(result, (1, 2))
+
+        self.client._shortcmd = original_shortcmd
+
     def test_list(self):
         self.assertEqual(self.client.list()[1:],
                          ([b'1 1', b'2 2', b'3 3', b'4 4', b'5 5'],
diff --git a/Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst b/Misc/NEWS.d/next/Library/2025-03-01-02-19-28.gh-issue-130637.swet54w4rs.rst
@@ -0,0 +1 @@
+Add validation for numeric response data in poplib.POP3.stat() method

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Add validation for numeric response data in poplib.POP3.stat() method`