[Python-Dev] Need help to fix urllib(.parse) vulnerabilities (original) (raw)
Giampaolo Rodola' g.rodola at gmail.com
Fri Jul 21 08:43:18 EDT 2017
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jul 21, 2017 at 12:45 PM, Victor Stinner <victor.stinner at gmail.com> wrote:
2017-07-21 12:02 GMT+02:00 Victor Stinner <victor.stinner at gmail.com>: > https://bugs.python.org/issue29606 > http://python-security.readthedocs.io/vuln/urllib ftpprotocolstreaminjection.html#urllib-ftp-protocol-stream-injection > => not fixed yet
Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to find a balance between security (reject any URL looking like an attempt to counter the security protections) and backward compatibility (accept filenames containing newlines). Maybe we need to only reject an URL which contains a newline in the "host" part, but accept them in the "path" part of the URL? The question is if the code splits correctly "host" and "path" parts when the URL contains a newline. My bet is that no, it behaves badly :-) Victor
Python-Dev mailing list Python-Dev at python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/g. rodola%40gmail.com
It took me a while to understand the security implications of this FTP-related bug, but I believe I got the gist of it here (I can elaborate further if it's not clear): https://github.com/python/cpython/pull/1214#issuecomment-298393169 My proposal is to fix ftplib.py and guard against malicious strings involving the PORT command only. This way we fix the issue and maintain backward compatibility by allowing users to specify "\n" in their paths and username / password pairs. Java took a different approach and disallowed "\n" completely. To my understanding fixing ftplib would automatically mean fixing urllib as well.
-- Giampaolo - http://grodola.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20170721/8a521db1/attachment.html>
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]