Cleartext Transmission of Sensitive Information in the poplib Module
The Python module poplib provides a number of functions for accessing
POP servers. However, the default behavior of the module does not provide
utilize secure connections. This means that data transmitted over the network,
including passwords, is sent in cleartext. This makes it possible for attackers
to intercept and read this data.
The Python module poplib should only in a secure mannner to protect sensitive data when accessing POP servers.
Example
import getpass
import poplib
M = poplib.POP3('localhost')
M.user(getpass.getuser())
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
for j in M.retr(i+1)[1]:
print(j)
Remediation
If the POP protocol must be used and sensitive data will be transferred, it
is recommended to secure the connection using POP3_SSL class.
Alternatively, the stls function can be used to enter a secure session.
import getpass
import poplib
M = poplib.POP3_SSL('localhost')
M.user(getpass.getuser())
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
for j in M.retr(i+1)[1]:
print(j)
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY014) or
rule category name (cleartext_transmission).
- Using rule ID
- Using category name
import getpass
import poplib
# suppress: PY014
M = poplib.POP3('localhost')
# suppress: PY014
M.user(getpass.getuser())
# suppress: PY014
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
for j in M.retr(i+1)[1]:
print(j)
import getpass
import poplib
# suppress: cleartext_transmission
M = poplib.POP3('localhost')
# suppress: cleartext_transmission
M.user(getpass.getuser())
# suppress: cleartext_transmission
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
for j in M.retr(i+1)[1]:
print(j)