msg291988 - (view) |
Author: Dong-hee Na (corona10) * |
Date: 2017-04-20 17:57 |
It was discovered that the FTP client implementation in the Networking component of Python failed to correctly handle user inputs.
A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Python application if it could make it access a specially crafted FTP URL.
See
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3533
I upload the patch for this issue.
|
msg292556 - (view) |
Author: Dong-hee Na (corona10) * |
Date: 2017-04-29 02:58 |
One of the purposes of the JDK patch is to prevent '\ r' and '\ n' from being inserted into the ftp command. In particular, it seems to assume that if another malice command is inserted after '\ n', the possibility of such an attack will be opened at a later time.
IMO, I think that we can block '\ r \ n' and '\ n' at the same time by blocking only '\ n'. Although '\ r' allows
|
msg292557 - (view) |
Author: Dong-hee Na (corona10) * |
Date: 2017-04-29 03:00 |
'\ r' -> '\r'
'\ n' -> '\n'
|
msg292591 - (view) |
Author: Martin Panter (martin.panter) * |
Date: 2017-04-29 12:00 |
I suggest to close this as a duplicate. The pull request itself looks like the right direction to me, but let’s not split the discussion up more than necessary.
|
msg292693 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) * |
Date: 2017-05-01 18:55 |
The relevant discussion of this bug is happening in https://github.com/python/cpython/pull/1214.
|
msg298860 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) * |
Date: 2017-07-22 17:20 |
New changeset 2b1e6e9696cb433c0e0da11145157d54275d119f by Giampaolo Rodola (Dong-hee Na) in branch 'master':
bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214)
https://github.com/python/cpython/commit/2b1e6e9696cb433c0e0da11145157d54275d119f
|
msg299141 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) * |
Date: 2017-07-25 21:08 |
Reopening as it needs backports for 2.7, 3.3, 3.4, 3.5 and 3.6.
|
msg299182 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2017-07-26 01:55 |
What about rejecting also NUL byte?
|
msg299199 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2017-07-26 03:29 |
I closed bpo-29606 as a duplicate of this bug.
|
msg299204 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2017-07-26 04:23 |
Just FYI, if the backports to 3.5, 3.4, and 3.3 happen *really* fast, we *might* be able to get them into the current round of releases, if Larry approves for 3.5.4 final and 3.4.7 final. If the 3.3 backport doesn't happen soon, 3.3 will reach end of life without it.
|
msg299205 - (view) |
Author: Dong-hee Na (corona10) * |
Date: 2017-07-26 04:26 |
Okay, I will send backport today.
|
msg299209 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2017-07-26 04:58 |
New changeset a4e774f86224cd8c997deaa4e71312cf1a7b023c by Ned Deily (Dong-hee Na) in branch '3.3':
[3.3] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2885)
https://github.com/python/cpython/commit/a4e774f86224cd8c997deaa4e71312cf1a7b023c
|
msg299212 - (view) |
Author: Ned Deily (ned.deily) * |
Date: 2017-07-26 07:04 |
New changeset 19b2890014d3098147d16475c492a47a43893768 by Ned Deily (Dong-hee Na) in branch '3.5':
[3.5] [security] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2887)
https://github.com/python/cpython/commit/19b2890014d3098147d16475c492a47a43893768
|
msg299225 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2017-07-26 12:11 |
New changeset 8c2d4cf092c5f0335e7982392a33927579c4d512 by Victor Stinner (Dong-hee Na) in branch '3.6':
[3.6] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2886)
https://github.com/python/cpython/commit/8c2d4cf092c5f0335e7982392a33927579c4d512
|
msg299226 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2017-07-26 12:12 |
@corona10: Cool, 3.3, 3.5, 3.6 and master are fixed. Would you mind to create also backports for 2.7 and 3.4, please?
|
msg299228 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) * |
Date: 2017-07-26 12:22 |
> What about rejecting also NUL byte?
I don't it would make any difference at this point.
|
msg299229 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2017-07-26 13:09 |
Victor> What about rejecting also NUL byte?
Giampaolo Rodola'> I don't it would make any difference at this point.
I asked because I read that filenames containing newlines can be escaped using \n\0. So it seems like "embedded" NUL bytes have a special semantic in FTP.
http://bugs.python.org/issue29606#msg292677
I have no opinion on NUL bytes. It's just that I saw them mentionned somewhere in the discussion, but I failed to see a rationale to accept or reject them.
|
msg299230 - (view) |
Author: Giampaolo Rodola' (giampaolo.rodola) * |
Date: 2017-07-26 13:16 |
AFAIK its only use case is to escape \r and \n.
|
msg299242 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2017-07-26 15:50 |
New changeset e5eae474c431af2880a68f6329840b9288fc4bc1 by Victor Stinner (Dong-hee Na) in branch '2.7':
[2.7] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2894)
https://github.com/python/cpython/commit/e5eae474c431af2880a68f6329840b9288fc4bc1
|
msg299341 - (view) |
Author: Larry Hastings (larry) * |
Date: 2017-07-27 19:47 |
New changeset 2a5a26c87e82c7d9a348792891feccd1b5e9a769 by larryhastings (Dong-hee Na) in branch '3.4':
[3.4] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2893)
https://github.com/python/cpython/commit/2a5a26c87e82c7d9a348792891feccd1b5e9a769
|
|
Date |
User |
Action |
Args |
2022-04-11 14:58:45 | admin | set | github: 74305 |
2019-05-10 18:12:00 | ned.deily | set | messages:
- msg342096 |
2019-05-10 17:36:39 | ned.deily | set | messages:
+ msg342096 |
2017-07-28 04:07:50 | ned.deily | set | priority: release blocker -> status: open -> closed resolution: fixed stage: backport needed -> resolved |
2017-07-27 19:47:49 | larry | set | messages:
+ msg299341 |
2017-07-26 15:50:40 | vstinner | set | messages:
+ msg299242 |
2017-07-26 13:16:02 | giampaolo.rodola | set | messages:
+ msg299230 |
2017-07-26 13:09:21 | vstinner | set | messages:
+ msg299229 |
2017-07-26 13:03:48 | corona10 | set | pull_requests:
+ pull_request2946 |
2017-07-26 12:51:29 | corona10 | set | pull_requests:
+ pull_request2945 |
2017-07-26 12:22:33 | giampaolo.rodola | set | messages:
+ msg299228 |
2017-07-26 12:12:55 | vstinner | set | messages:
+ msg299226 |
2017-07-26 12:11:27 | vstinner | set | messages:
+ msg299225 |
2017-07-26 07:04:44 | ned.deily | set | messages:
+ msg299212 |
2017-07-26 05:12:06 | corona10 | set | pull_requests:
+ pull_request2939 |
2017-07-26 05:04:41 | corona10 | set | pull_requests:
+ pull_request2938 |
2017-07-26 04:58:24 | ned.deily | set | messages:
+ msg299209 |
2017-07-26 04:43:30 | corona10 | set | pull_requests:
+ pull_request2937 |
2017-07-26 04:26:30 | corona10 | set | messages:
+ msg299205 |
2017-07-26 04:23:38 | ned.deily | set | priority: normal -> release blocker
nosy:
+ larry, benjamin.peterson, georg.brandl, ned.deily messages:
+ msg299204
keywords:
+ security_issue |
2017-07-26 03:29:01 | vstinner | set | superseder: urllib FTP protocol stream injection -> messages:
+ msg299199 |
2017-07-26 03:28:33 | vstinner | link | issue29606 superseder |
2017-07-26 01:55:37 | vstinner | set | status: pending -> open
messages:
+ msg299182 |
2017-07-26 01:27:08 | ned.deily | set | status: open -> pending |
2017-07-26 01:26:47 | ned.deily | set | status: pending -> open nosy:
+ vstinner
|
2017-07-25 21:08:10 | giampaolo.rodola | set | status: closed -> pending versions:
+ Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6 messages:
+ msg299141
resolution: duplicate -> (no value) stage: resolved -> backport needed |
2017-07-22 17:20:24 | giampaolo.rodola | set | messages:
+ msg298860 |
2017-05-05 07:36:46 | berker.peksag | set | status: open -> closed stage: resolved |
2017-05-01 18:55:53 | giampaolo.rodola | set | messages:
+ msg292693 |
2017-04-29 12:00:05 | martin.panter | set | nosy:
+ martin.panter messages:
+ msg292591 resolution: duplicate
superseder: urllib FTP protocol stream injection |
2017-04-29 03:00:23 | corona10 | set | messages:
+ msg292557 |
2017-04-29 02:58:36 | corona10 | set | messages:
+ msg292556 |
2017-04-29 02:24:06 | giampaolo.rodola | set | nosy:
+ giampaolo.rodola
|
2017-04-20 18:13:13 | corona10 | set | title: A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Python application -> (ftplib) A remote attacker could possibly attack by containing the newline characters |
2017-04-20 18:10:00 | corona10 | set | versions:
+ Python 3.7 |
2017-04-20 17:58:26 | corona10 | set | pull_requests:
+ pull_request1337 |
2017-04-20 17:57:20 | corona10 | create | |