Message 288219 - Python tracker

Message288219

Author	ecbftw
Recipients	ecbftw
Date	2017-02-20.16:49:02
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1487609342.46.0.653185585548.issue29606@psf.upfronthosting.co.za>
In-reply-to

Content
Please see: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html This was reported to security at python dot org, but as far as I can tell, they sat on it for a year. I don't think there is a proper way to encode newlines in CWD commands, according the FTP RFC. If that is the case, then I suggest throwing an exception on any URLs that contain one of '\r\n\0' or any other characters that the FTP protocol simply can't support.

Content

Please see: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html

This was reported to security at python dot org, but as far as I can tell, they sat on it for a year.

I don't think there is a proper way to encode newlines in CWD commands, according the FTP RFC.  If that is the case, then I suggest throwing an exception on any URLs that contain one of '\r\n\0' or any other characters that the FTP protocol simply can't support.

History
Date	User	Action	Args
2017-02-20 16:49:02	ecbftw	set	recipients: + ecbftw
2017-02-20 16:49:02	ecbftw	set	messageid: <1487609342.46.0.653185585548.issue29606@psf.upfronthosting.co.za>
2017-02-20 16:49:02	ecbftw	link	issue29606 messages
2017-02-20 16:49:02	ecbftw	create