classification
Title: (ftplib) A remote attacker could possibly attack by containing the newline characters
Type: security Stage:
Components: Versions: Python 3.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: corona10
Priority: normal Keywords:

Created on 2017-04-20 17:57 by corona10, last changed 2017-04-20 18:13 by corona10.

Pull Requests
URL Status Linked Edit
PR 1214 open corona10, 2017-04-20 17:58
Messages (1)
msg291988 - (view) Author: Dong-hee Na (corona10) * Date: 2017-04-20 17:57
It was discovered that the FTP client implementation in the Networking component of Python failed to correctly handle user inputs. 
A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Python application if it could make it access a specially crafted FTP URL.

See 
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3533

I upload the patch for this issue.
History
Date User Action Args
2017-04-20 18:13:13corona10settitle: A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Python application -> (ftplib) A remote attacker could possibly attack by containing the newline characters
2017-04-20 18:10:00corona10setversions: + Python 3.7
2017-04-20 17:58:26corona10setpull_requests: + pull_request1337
2017-04-20 17:57:20corona10create