On Fri, Jul 21, 2017 at 12:45 PM, Victor Stinner <victor.stin...@gmail.com> wrote:
> 2017-07-21 12:02 GMT+02:00 Victor Stinner <victor.stin...@gmail.com>: > > https://bugs.python.org/issue29606 > > http://python-security.readthedocs.io/vuln/urllib_ > ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection > > => not fixed yet > > Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to > find a balance between security (reject any URL looking like an > attempt to counter the security protections) and backward > compatibility (accept filenames containing newlines). > > Maybe we need to only reject an URL which contains a newline in the > "host" part, but accept them in the "path" part of the URL? The > question is if the code splits correctly "host" and "path" parts when > the URL contains a newline. My bet is that no, it behaves badly :-) > > Victor > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: https://mail.python.org/mailman/options/python-dev/g. > rodola%40gmail.com > It took me a while to understand the security implications of this FTP-related bug, but I believe I got the gist of it here (I can elaborate further if it's not clear): https://github.com/python/cpython/pull/1214#issuecomment-298393169 My proposal is to fix ftplib.py and guard against malicious strings involving the *PORT command only*. This way we fix the issue *and* maintain backward compatibility by allowing users to specify "\n" in their paths and username / password pairs. Java took a different approach and disallowed "\n" completely. To my understanding fixing ftplib would automatically mean fixing urllib as well. -- Giampaolo - http://grodola.blogspot.com
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
