[Python-Dev] Need help to fix urllib(.parse) vulnerabilities
Random832
random832 at fastmail.com
Fri Jul 21 10:23:10 EDT 2017
More information about the Python-Dev mailing list
Fri Jul 21 10:23:10 EDT 2017
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jul 21, 2017, at 08:43, Giampaolo Rodola' wrote: > It took me a while to understand the security implications of this > FTP-related bug, but I believe I got the gist of it here (I can > elaborate further if it's not clear): > https://github.com/python/cpython/pull/1214#issuecomment-298393169 > My proposal is to fix ftplib.py and guard against malicious > strings involving the *PORT command only*. This way we fix the > issue *and* maintain backward compatibility by allowing users to > specify "\n" in their paths and username / password pairs. Java > took a different approach and disallowed "\n" completely. To my > understanding fixing ftplib would automatically mean fixing urllib > as well. What would a \n in a path mean? What commands would you send over FTP to successfully retrieve a file (or enter a username or password) containing a newline in the name? In other words, what exactly are we being backward compatible *with*?
- Previous message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Next message (by thread): [Python-Dev] Need help to fix urllib(.parse) vulnerabilities
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-Dev mailing list