classification
Title: urllib FTP protocol stream injection
Type: security Stage:
Components: Versions: Python 3.7, Python 3.6, Python 3.5, Python 3.4, Python 3.3, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, corona10, ecbftw, haypo, supl
Priority: normal Keywords:

Created on 2017-02-20 16:49 by ecbftw, last changed 2017-04-20 20:32 by corona10.

Pull Requests
URL Status Linked Edit
PR 1216 open corona10, 2017-04-20 18:52
Messages (2)
msg288219 - (view) Author: (ecbftw) Date: 2017-02-20 16:49
Please see: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

This was reported to security at python dot org, but as far as I can tell, they sat on it for a year.

I don't think there is a proper way to encode newlines in CWD commands, according the FTP RFC.  If that is the case, then I suggest throwing an exception on any URLs that contain one of '\r\n\0' or any other characters that the FTP protocol simply can't support.
msg291998 - (view) Author: Dong-hee Na (corona10) * Date: 2017-04-20 20:32
I uploaded the PR which check invalid URL such as ftp://foo:bar%0d%0aINJECTED@example.net/file.png
History
Date User Action Args
2017-04-20 20:32:08corona10setnosy: + corona10
messages: + msg291998
2017-04-20 18:52:52corona10setpull_requests: + pull_request1339
2017-04-11 10:51:23suplsetnosy: + supl
2017-02-23 14:56:32hayposetnosy: + haypo, christian.heimes
2017-02-20 16:49:02ecbftwcreate