Author ecbftw
Recipients ecbftw
Date 2017-02-20.16:49:02
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1487609342.46.0.653185585548.issue29606@psf.upfronthosting.co.za>
In-reply-to
Content
Please see: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

This was reported to security at python dot org, but as far as I can tell, they sat on it for a year.

I don't think there is a proper way to encode newlines in CWD commands, according the FTP RFC.  If that is the case, then I suggest throwing an exception on any URLs that contain one of '\r\n\0' or any other characters that the FTP protocol simply can't support.
History
Date User Action Args
2017-02-20 16:49:02ecbftwsetrecipients: + ecbftw
2017-02-20 16:49:02ecbftwsetmessageid: <1487609342.46.0.653185585548.issue29606@psf.upfronthosting.co.za>
2017-02-20 16:49:02ecbftwlinkissue29606 messages
2017-02-20 16:49:02ecbftwcreate