New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(ftplib) A remote attacker could possibly attack by containing the newline characters #74305
Comments
It was discovered that the FTP client implementation in the Networking component of Python failed to correctly handle user inputs. See and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3533 I upload the patch for this issue. |
One of the purposes of the JDK patch is to prevent '\ r' and '\ n' from being inserted into the ftp command. In particular, it seems to assume that if another malice command is inserted after '\ n', the possibility of such an attack will be opened at a later time. |
'\ r' -> '\r' |
I suggest to close this as a duplicate. The pull request itself looks like the right direction to me, but let’s not split the discussion up more than necessary. |
The relevant discussion of this bug is happening in #1214. |
Reopening as it needs backports for 2.7, 3.3, 3.4, 3.5 and 3.6. |
What about rejecting also NUL byte? |
I closed bpo-29606 as a duplicate of this bug. |
Just FYI, if the backports to 3.5, 3.4, and 3.3 happen *really* fast, we *might* be able to get them into the current round of releases, if Larry approves for 3.5.4 final and 3.4.7 final. If the 3.3 backport doesn't happen soon, 3.3 will reach end of life without it. |
Okay, I will send backport today. |
@corona10: Cool, 3.3, 3.5, 3.6 and master are fixed. Would you mind to create also backports for 2.7 and 3.4, please? |
I don't it would make any difference at this point. |
Victor> What about rejecting also NUL byte? I asked because I read that filenames containing newlines can be escaped using \n\0. So it seems like "embedded" NUL bytes have a special semantic in FTP. I have no opinion on NUL bytes. It's just that I saw them mentionned somewhere in the discussion, but I failed to see a rationale to accept or reject them. |
AFAIK its only use case is to escape \r and \n. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: