Message292677
It was just pointed out by @giampaolo in (https://github.com/python/cpython/pull/1214) that an escaping mechanism does actually exist for FTP, as defined in RFC-2640. The relevant passage is as follows:
When a <CR> character is encountered as part of a pathname it MUST be
padded with a <NUL> character prior to sending the command. On
receipt of a pathname containing a <CR><NUL> sequence the <NUL>
character MUST be stripped away. This approach is described in the
Telnet protocol [RFC854] on pages 11 and 12. For example, to store a
pathname foo<CR><LF>boo.bar the pathname would become
foo<CR><NUL><LF>boo.bar prior to sending the command STOR
<SP>foo<CR><NUL><LF>boo.bar<CRLF>. Upon receipt of the altered
pathname the <NUL> character following the <CR> would be stripped
away to form the original pathname.
It isn't clear how good FTP server support for this is, or if firewalls recognize this escaping as well. In the case of firewalls, one could argue that if they don't account for it, the vulnerability lies in them. |
|
Date |
User |
Action |
Args |
2017-05-01 17:21:01 | ecbftw | set | recipients:
+ ecbftw, vstinner, giampaolo.rodola, christian.heimes, martin.panter, supl, corona10 |
2017-05-01 17:21:01 | ecbftw | set | messageid: <1493659261.68.0.87400102508.issue29606@psf.upfronthosting.co.za> |
2017-05-01 17:21:01 | ecbftw | link | issue29606 messages |
2017-05-01 17:21:01 | ecbftw | create | |
|