This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author ecbftw
Recipients christian.heimes, corona10, ecbftw, giampaolo.rodola, martin.panter, supl, vstinner
Date 2017-05-01.17:21:01
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1493659261.68.0.87400102508.issue29606@psf.upfronthosting.co.za>
In-reply-to
Content 
It was just pointed out by @giampaolo in (https://github.com/python/cpython/pull/1214) that an escaping mechanism does actually exist for FTP, as defined in RFC-2640.  The relevant passage is as follows:

   When a <CR> character is encountered as part of a pathname it MUST be
   padded with a <NUL> character prior to sending the command. On
   receipt of a pathname containing a <CR><NUL> sequence the <NUL>
   character MUST be stripped away. This approach is described in the
   Telnet protocol [RFC854] on pages 11 and 12. For example, to store a
   pathname foo<CR><LF>boo.bar the pathname would become
   foo<CR><NUL><LF>boo.bar prior to sending the command STOR
   <SP>foo<CR><NUL><LF>boo.bar<CRLF>. Upon receipt of the altered
   pathname the <NUL> character following the <CR> would be stripped
   away to form the original pathname.


It isn't clear how good FTP server support for this is, or if firewalls recognize this escaping as well.  In the case of firewalls, one could argue that if they don't account for it, the vulnerability lies in them.
History
Date User Action Args
2017-05-01 17:21:01ecbftwsetrecipients: + ecbftw, vstinner, giampaolo.rodola, christian.heimes, martin.panter, supl, corona10
2017-05-01 17:21:01ecbftwsetmessageid: <1493659261.68.0.87400102508.issue29606@psf.upfronthosting.co.za>
2017-05-01 17:21:01ecbftwlinkissue29606 messages
2017-05-01 17:21:01ecbftwcreate