[Python-Dev] Need help to fix urllib(.parse) vulnerabilities
Random832
random832 at fastmail.com
Fri Jul 21 10:23:10 EDT 2017
On Fri, Jul 21, 2017, at 08:43, Giampaolo Rodola' wrote:
> It took me a while to understand the security implications of this
> FTP-related bug, but I believe I got the gist of it here (I can
> elaborate further if it's not clear):
> https://github.com/python/cpython/pull/1214#issuecomment-298393169
> My proposal is to fix ftplib.py and guard against malicious
> strings involving the *PORT command only*. This way we fix the
> issue *and* maintain backward compatibility by allowing users to
> specify "\n" in their paths and username / password pairs. Java
> took a different approach and disallowed "\n" completely. To my
> understanding fixing ftplib would automatically mean fixing urllib
> as well.
What would a \n in a path mean? What commands would you send over FTP to
successfully retrieve a file (or enter a username or password)
containing a newline in the name? In other words, what exactly are we
being backward compatible *with*?
More information about the Python-Dev
mailing list