classification
Title: (ftplib) A remote attacker could possibly attack by containing the newline characters
Type: security Stage: resolved
Components: Versions: Python 3.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: urllib FTP protocol stream injection
View: 29606
Assigned To: Nosy List: corona10, giampaolo.rodola, martin.panter
Priority: normal Keywords:

Created on 2017-04-20 17:57 by corona10, last changed 2017-05-05 07:36 by berker.peksag. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 1214 open corona10, 2017-04-20 17:58
Messages (5)
msg291988 - (view) Author: Dong-hee Na (corona10) * Date: 2017-04-20 17:57
It was discovered that the FTP client implementation in the Networking component of Python failed to correctly handle user inputs. 
A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Python application if it could make it access a specially crafted FTP URL.

See 
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3533

I upload the patch for this issue.
msg292556 - (view) Author: Dong-hee Na (corona10) * Date: 2017-04-29 02:58
One of the purposes of the JDK patch is to prevent '\ r' and '\ n' from being inserted into the ftp command. In particular, it seems to assume that if another malice command is inserted after '\ n', the possibility of such an attack will be opened at a later time.
IMO, I think that we can block '\ r \ n' and '\ n' at the same time by blocking only '\ n'. Although '\ r' allows
msg292557 - (view) Author: Dong-hee Na (corona10) * Date: 2017-04-29 03:00
'\ r' -> '\r'
'\ n' -> '\n'
msg292591 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2017-04-29 12:00
I suggest to close this as a duplicate. The pull request itself looks like the right direction to me, but let’s not split the discussion up more than necessary.
msg292693 - (view) Author: Giampaolo Rodola' (giampaolo.rodola) * (Python committer) Date: 2017-05-01 18:55
The relevant discussion of this bug is happening in https://github.com/python/cpython/pull/1214.
History
Date User Action Args
2017-05-05 07:36:46berker.peksagsetstatus: open -> closed
stage: resolved
2017-05-01 18:55:53giampaolo.rodolasetmessages: + msg292693
2017-04-29 12:00:05martin.pantersetnosy: + martin.panter
messages: + msg292591
resolution: duplicate

superseder: urllib FTP protocol stream injection
2017-04-29 03:00:23corona10setmessages: + msg292557
2017-04-29 02:58:36corona10setmessages: + msg292556
2017-04-29 02:24:06giampaolo.rodolasetnosy: + giampaolo.rodola
2017-04-20 18:13:13corona10settitle: A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Python application -> (ftplib) A remote attacker could possibly attack by containing the newline characters
2017-04-20 18:10:00corona10setversions: + Python 3.7
2017-04-20 17:58:26corona10setpull_requests: + pull_request1337
2017-04-20 17:57:20corona10create