[New-bugs-announce] [issue29606] urllib FTP protocol stream injection
ecbftw
report at bugs.python.org
Mon Feb 20 11:49:02 EST 2017
New submission from ecbftw:
Please see: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
This was reported to security at python dot org, but as far as I can tell, they sat on it for a year.
I don't think there is a proper way to encode newlines in CWD commands, according the FTP RFC. If that is the case, then I suggest throwing an exception on any URLs that contain one of '\r\n\0' or any other characters that the FTP protocol simply can't support.
----------
messages: 288219
nosy: ecbftw
priority: normal
severity: normal
status: open
title: urllib FTP protocol stream injection
type: security
versions: Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6, Python 3.7
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29606>
_______________________________________
More information about the New-bugs-announce
mailing list