This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem
Type: security Stage: resolved
Components: Demos and Tools Versions: Python 3.6, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Guido, python-dev, r.david.murray
Priority: normal Keywords:

Created on 2014-12-30 01:56 by Guido, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (3)
msg233189 - (view) Author: Guido Vranken (Guido) Date: 2014-12-30 01:56 
Tools/scripts/ftpmirror.py does not guard against arbitrary path constructions, and, given a connection to a malicious FTP server (or a man in the middle attack), it is possible that any file on the client's filesystem gets overwritten. Ie,. if we suppose that ftpmirror.py is run from a "base directory" /home/xxx/yyy, file creations can occur outside this base directory, such as in /tmp, /etc, /var, just to give some examples.

I've constructed a partial proof of concept FTP server that demonstrates directory and file creation outside the base directory (the directory the client script was launched from). I understand that most of the files in Tools/scripts/ are legacy applications that have long been deprecated. However, if the maintainers think these applications should be safe nonetheless, I'll be happy to construct and submit a patch that will remediate this issue.

Guido Vranken
Intelworks
msg233209 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-12-30 15:51 
I would guess that the most future-proof response to this would be to delete the script.  If we do keep it, it should definitely be fixed.
msg233212 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2014-12-30 16:10 
New changeset 8f92ab37dd3a by Benjamin Peterson in branch '2.7':
delete old ftpmirror script, which now has security bugs (closes #23130)
https://hg.python.org/cpython/rev/8f92ab37dd3a

New changeset 223d0927e27d by Benjamin Peterson in branch '3.2':
delete old ftpmirror script, which now has security bugs (closes #23130)
https://hg.python.org/cpython/rev/223d0927e27d

New changeset e15d93926e47 by Benjamin Peterson in branch '3.3':
merge 3.2 (#23130)
https://hg.python.org/cpython/rev/e15d93926e47

New changeset 483746c32296 by Benjamin Peterson in branch '3.4':
merge 3.3 (#23130)
https://hg.python.org/cpython/rev/483746c32296

New changeset 4b64d300a67a by Benjamin Peterson in branch 'default':
merge 3.4 (#23130)
https://hg.python.org/cpython/rev/4b64d300a67a
History
Date User Action Args
2022-04-11 14:58:11adminsetgithub: 67319
2014-12-30 16:10:15python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg233212

resolution: fixed
stage: resolved
2014-12-30 15:51:10r.david.murraysetnosy: + r.david.murray
messages: + msg233209
2014-12-30 01:56:34Guidocreate