[issue43285] ftplib use host from PASV response
Gregory P. Smith
report at bugs.python.org
Sat Mar 13 07:03:41 EST 2021
Gregory P. Smith <greg at krypto.org> added the comment:
I'm not interested in chasing down a CVE for this myself. If anyone wants to jump through the hoops to obtain one, the text used for curl in the hackerone link is likely a good guide.
My PR includes a way for people to opt-out of the secure behavior (why would anyone ever want that?) by setting the use_untrusted_server_pasv_ipv4_addr attribute to True on their ftplib.FTP instance. Setting that attribute on a server lacking this fix is a no-op, making it safe to add to code running on any version.
This is an embarrassingly old widespread common issue in a large number of ftp clients. Even the 1998 IPv6 RFC https://tools.ietf.org/html/rfc2428 indirectly acknowledges its existence by disallowing the new EPSV command that replaces PASV from returning anything other than the port number while leaving fields for the other values present but empty...
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue43285>
_______________________________________
More information about the Python-bugs-list
mailing list