[issue29606] urllib FTP protocol stream injection

[ecbftw]

ecbftw added the comment:

> The best place to reject invalid characters is where the URL is parsed, no? See also my bpo-30713.

No I don't really agree with that.  What other APIs can be used to submit a directory name, user name, password, or other field in an FTP command?  If you block unacceptable characters only at URL parsing, then you fail to address those other vectors.

The normal way to fix any injection vulneability is to encode the dangerous characters just before then are included in the surrounding syntax. Unfortunately in FTP's case, there's no widely-accepted way to encode these characters. So I think you should instead throw an exception right before the commands are put on the control channel.  Fixing the bug at the "sink" like this is a far more resilient way to address injections.

Any "legitimate" use case that users might have for these characters wouldn't have worked anyway. The code is already broken for new lines in file names. If you change the code such that it throws an exception when they are written to the control channel, that's a better mode of failure than what you have right now.

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue29606>
_______________________________________