Message288219
Please see: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
This was reported to security at python dot org, but as far as I can tell, they sat on it for a year.
I don't think there is a proper way to encode newlines in CWD commands, according the FTP RFC. If that is the case, then I suggest throwing an exception on any URLs that contain one of '\r\n\0' or any other characters that the FTP protocol simply can't support. |
|
Date |
User |
Action |
Args |
2017-02-20 16:49:02 | ecbftw | set | recipients:
+ ecbftw |
2017-02-20 16:49:02 | ecbftw | set | messageid: <1487609342.46.0.653185585548.issue29606@psf.upfronthosting.co.za> |
2017-02-20 16:49:02 | ecbftw | link | issue29606 messages |
2017-02-20 16:49:02 | ecbftw | create | |
|