Skip to content

poplib — cleartext

Cleartext Transmission of Sensitive Information in the poplib Module

The Python module poplib provides a number of functions for accessing POP servers. However, the default behavior of the module does not provide utilize secure connections. This means that data transmitted over the network, including passwords, is sent in cleartext. This makes it possible for attackers to intercept and read this data.

The Python module poplib should only in a secure mannner to protect sensitive data when accessing POP servers.

Example

poplib_pop3_pass_.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
import getpass
import poplib


M = poplib.POP3('localhost')
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
    for j in M.retr(i+1)[1]:
        print(j)
Example Output 
> precli tests/unit/rules/python/stdlib/poplib/examples/poplib_pop3_pass_.py
⛔️ Error on line 6 in tests/unit/rules/python/stdlib/poplib/examples/poplib_pop3_pass_.py
PY014: Cleartext Transmission of Sensitive Information
The 'poplib.POP3.pass_' function will transmit authentication information such as a user, password in cleartext.

Remediation

If the POP protocol must be used and sensitive data will be transferred, it is recommended to secure the connection using POP3_SSL class. Alternatively, the stls function can be used to enter a secure session.

poplib_pop3_pass_.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
import getpass
import poplib


M = poplib.POP3_SSL('localhost')
M.user(getpass.getuser())
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
    for j in M.retr(i+1)[1]:
        print(j)

Default Configuration

enabled = true
level = "error"

See also

Info

New in version 0.1.9