[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory) (original) (raw)
Victor Stinner victor.stinner at gmail.com
Tue Jun 20 18:35:13 EDT 2017
- Previous message (by thread): [Python-Dev] bugs.python.org is down at the moment (503)
- Next message (by thread): [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)"
2017-02-24 5:36 GMT+01:00 Steven D'Aprano <steve at pearwood.info>:
I am not qualified to judge the merits of this, but it does seem worrying that (alledgedly) the Python security team hasn't responded for over 12 months.
Is anyone able to comment?
I don't have the archives of the PSRT mailing list and I'm not sure that I was subscribed when "the" email was sent. Does someone have the date of this email? It's to complete the new entry in my doc: http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
I don't want to blame anyone, I just want to collect data to help us to enhance our process to handle security vulnerabilities.
FYI I tried to take care of a few security vulnerabilities recently, and as expected, each issue is more tricky than expected :-)
While fixing http://bugs.python.org/issue30500 I noticed that urllib accepts newline characters in URLs. I don't know if it's deliberate or not... So I created a new issue http://bugs.python.org/issue30713
I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in 2.7 on Windows with Visual Studio 2008. And just when I was done, expat 2.2.1 was released. I have to do the same job again :-)
Victor
- Previous message (by thread): [Python-Dev] bugs.python.org is down at the moment (503)
- Next message (by thread): [Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]