gh-130637: Add validation for numeric response data in `stat()` method (#130646)

Co-authored-by: Eric V. Smith <ericvsmith@users.noreply.github.com>
author: Kanishk Pachauri <itskanishkp.py@gmail.com> 2025-03-02 18:35:40 +0530
committer: GitHub <noreply@github.com> 2025-03-02 08:05:40 -0500
commit: a42168d316f0c9a4fc5658dab87682dc19054efb (patch)
tree: 0c06a910aec6a10e43c1ea6820aa4caa4199e8b8 /Lib/poplib.py
parent: 990ad272f66fe6a50087ad044725bb0f9f8e181d (diff)
download: cpython-a42168d316f0c9a4fc5658dab87682dc19054efb.tar.gz
cpython-a42168d316f0c9a4fc5658dab87682dc19054efb.zip
1 files changed, 13 insertions, 2 deletions
diff --git a/Lib/poplib.py b/Lib/poplib.py
index beb93a0d57c..4469bff44b4 100644
--- a/Lib/poplib.py
+++ b/Lib/poplib.py
@@ -226,8 +226,19 @@ class POP3:
         retval = self._shortcmd('STAT')
         rets = retval.split()
         if self._debugging: print('*stat*', repr(rets))
-        numMessages = int(rets[1])
-        sizeMessages = int(rets[2])
+
+        # Check if the response has enough elements
+        # RFC 1939 requires at least 3 elements (+OK, message count, mailbox size)
+        # but allows additional data after the required fields
+        if len(rets) < 3:
+            raise error_proto("Invalid STAT response format")
+
+        try:
+            numMessages = int(rets[1])
+            sizeMessages = int(rets[2])
+        except ValueError:
+            raise error_proto("Invalid STAT response data: non-numeric values")
+
         return (numMessages, sizeMessages)
author	Kanishk Pachauri <itskanishkp.py@gmail.com>	2025-03-02 18:35:40 +0530
committer	GitHub <noreply@github.com>	2025-03-02 08:05:40 -0500
commit	a42168d316f0c9a4fc5658dab87682dc19054efb (patch)
tree	0c06a910aec6a10e43c1ea6820aa4caa4199e8b8 /Lib/poplib.py
parent	990ad272f66fe6a50087ad044725bb0f9f8e181d (diff)
download	cpython-a42168d316f0c9a4fc5658dab87682dc19054efb.tar.gz cpython-a42168d316f0c9a4fc5658dab87682dc19054efb.zip