Synchronous Access of POP3 without Timeout
The poplib.POP3 and poplib.POP3_SSL classes are used to connect to mail
servers using the Post Office Protocol version 3 (POP3) for retrieving emails.
By default, these classes do not enforce a timeout on the network connection,
which means that an application could block indefinitely if the mail server
becomes unresponsive or there is a network failure. This can result in resource
exhaustion, Denial of Service (DoS), or unresponsive behavior in the
application.
This rule ensures that a timeout parameter is provided when creating instances
of poplib.POP3 or poplib.POP3_SSL to prevent the risk of indefinite
blocking during network communication.
Failing to specify a timeout in these classes may cause the application to block indefinitely while waiting for a response from the mail server. This can lead to Denial of Service (DoS) vulnerabilities or cause the application to become unresponsive.
Example
import poplib
import ssl
pop = poplib.POP3("mail.my-mail-server.com")
pop.stls(ssl.create_default_context())
Remediation
Always provide a timeout parameter when using poplib.POP3 or
poplib.POP3_SSL. This ensures that if the mail server is unreachable or
unresponsive, the connection attempt will fail after a set period, preventing
indefinite blocking and resource exhaustion.
Alternatively, the global default timeout can be set via
socket.setdefaulttimeout(). This is a good option to enforce a consistent
timeout for any network library that uses sockets, including poplib.
import poplib
import ssl
pop = poplib.POP3("mail.my-mail-server.com", timeout=5)
pop.stls(ssl.create_default_context())
False Positives
In the case of a false positive the rule can be suppressed. Simply add a
trailing or preceding comment line with either the rule ID (PY043) or
rule category name (no_timeout).
- Using rule ID
- Using category name
import poplib
import ssl
# suppress: PY043
pop = poplib.POP3("mail.my-mail-server.com")
pop.stls(ssl.create_default_context())
import poplib
import ssl
# suppress: no_timeout
pop = poplib.POP3("mail.my-mail-server.com")
pop.stls(ssl.create_default_context())