On Fri, Jul 21, 2017, at 08:43, Giampaolo Rodola' wrote: > It took me a while to understand the security implications of this > FTP-related bug, but I believe I got the gist of it here (I can > elaborate further if it's not clear): > https://github.com/python/cpython/pull/1214#issuecomment-298393169 > My proposal is to fix ftplib.py and guard against malicious > strings involving the *PORT command only*. This way we fix the > issue *and* maintain backward compatibility by allowing users to > specify "\n" in their paths and username / password pairs. Java > took a different approach and disallowed "\n" completely. To my > understanding fixing ftplib would automatically mean fixing urllib > as well.
What would a \n in a path mean? What commands would you send over FTP to successfully retrieve a file (or enter a username or password) containing a newline in the name? In other words, what exactly are we being backward compatible *with*? _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
