poplib — unverified context

Improper Certificate Validation Using poplib

The Python class poplib.POP3_SSL by default creates an SSL context that does not verify the server's certificate if the context parameter is unset or has a value of None. This means that an attacker can easily impersonate a legitimate server and fool your application into connecting to it.

If you use poplib.POP3_SSL or stls without a context set, you are opening your application up to a number of security risks, including:

• Machine-in-the-middle attacks
• Session hijacking
• Data theft

Example

import getpass
import poplib


M = poplib.POP3_SSL("localhost")
M.user(getpass.getuser())
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
    for j in M.retr(i + 1)[1]:
        print(j)

Example Output

> precli tests/unit/rules/python/stdlib/poplib/examples/poplib_pop3_ssl_context_unset.py
⚠️  Warning on line 5 in tests/unit/rules/python/stdlib/poplib/examples/poplib_pop3_ssl_context_unset.py
PY025: Improper Certificate Validation
The 'poplib.POP3_SSL' function does not properly validate certificates when context is unset or None.

Remediation

Set the value of the context keyword argument to ssl.create_default_context() to ensure the connection is fully verified.

import getpass
import poplib
import ssl


M = poplib.POP3_SSL(
    "localhost",
    context=ssl.create_default_context(),
)
M.user(getpass.getuser())
M.pass_(getpass.getpass())
numMessages = len(M.list()[1])
for i in range(numMessages):
    for j in M.retr(i + 1)[1]:
        print(j)

Default Configuration

enabled = true
level = "warning"

See also

Info

• poplib.POP3_SSL — POP3 protocol client
• poplib.POP3.stls — POP3 protocol client
• ssl — TLS_SSL wrapper for socket objects
• CWE-295: Improper Certificate Validation

New in version 0.3.14