This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author gregory.p.smith
Recipients giampaolo.rodola, gregory.p.smith, ricexdream
Date 2021-03-13.12:03:40
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1615637021.54.0.568553859139.issue43285@roundup.psfhosted.org>
In-reply-to
Content 
I'm not interested in chasing down a CVE for this myself.  If anyone wants to jump through the hoops to obtain one, the text used for curl in the hackerone link is likely a good guide.

My PR includes a way for people to opt-out of the secure behavior (why would anyone ever want that?) by setting the use_untrusted_server_pasv_ipv4_addr attribute to True on their ftplib.FTP instance.  Setting that attribute on a server lacking this fix is a no-op, making it safe to add to code running on any version.

This is an embarrassingly old widespread common issue in a large number of ftp clients.  Even the 1998 IPv6 RFC https://tools.ietf.org/html/rfc2428 indirectly acknowledges its existence by disallowing the new EPSV command that replaces PASV from returning anything other than the port number while leaving fields for the other values present but empty...
History
Date User Action Args
2021-03-13 12:03:41gregory.p.smithsetrecipients: + gregory.p.smith, giampaolo.rodola, ricexdream
2021-03-13 12:03:41gregory.p.smithsetmessageid: <1615637021.54.0.568553859139.issue43285@roundup.psfhosted.org>
2021-03-13 12:03:41gregory.p.smithlinkissue43285 messages
2021-03-13 12:03:40gregory.p.smithcreate