[Python-Dev] Need help to fix urllib(.parse) vulnerabilities (original) (raw)
Random832 random832 at fastmail.com
Fri Jul 21 10:23:10 EDT 2017
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jul 21, 2017, at 08:43, Giampaolo Rodola' wrote:
It took me a while to understand the security implications of this FTP-related bug, but I believe I got the gist of it here (I can elaborate further if it's not clear): https://github.com/python/cpython/pull/1214#issuecomment-298393169 My proposal is to fix ftplib.py and guard against malicious strings involving the PORT command only. This way we fix the issue and maintain backward compatibility by allowing users to specify "\n" in their paths and username / password pairs. Java took a different approach and disallowed "\n" completely. To my understanding fixing ftplib would automatically mean fixing urllib as well.
What would a \n in a path mean? What commands would you send over FTP to successfully retrieve a file (or enter a username or password) containing a newline in the name? In other words, what exactly are we being backward compatible with?
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]