
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 21, 2017 at 12:45 PM, Victor Stinner <span dir="ltr"><<a href="mailto:victor.stinner@gmail.com" target="_blank">victor.stinner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">2017-07-21 12:02 GMT+02:00 Victor Stinner <<a href="mailto:victor.stinner@gmail.com">victor.stinner@gmail.com</a>>:<br>

> <a href="https://bugs.python.org/issue29606" rel="noreferrer" target="_blank">https://bugs.python.org/<wbr>issue29606</a><br>

> <a href="http://python-security.readthedocs.io/vuln/urllib_ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection" rel="noreferrer" target="_blank">http://python-security.<wbr>readthedocs.io/vuln/urllib_<wbr>ftp_protocol_stream_injection.<wbr>html#urllib-ftp-protocol-<wbr>stream-injection</a><br>

> => not fixed yet<br>

<br>

</span>Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to<br>

find a balance between security (reject any URL looking like an<br>

attempt to counter the security protections) and backward<br>

compatibility (accept filenames containing newlines).<br>

<br>

Maybe we need to only reject an URL which contains a newline in the<br>

"host" part, but accept them in the "path" part of the URL? The<br>

question is if the code splits correctly "host" and "path" parts when<br>

the URL contains a newline. My bet is that no, it behaves badly :-)<br>

<div class="gmail-HOEnZb"><div class="gmail-h5"><br>

Victor<br>

______________________________<wbr>_________________<br>

Python-Dev mailing list<br>

<a href="mailto:Python-Dev@python.org">Python-Dev@python.org</a><br>

<a href="https://mail.python.org/mailman/listinfo/python-dev" rel="noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/listinfo/python-dev</a><br>

Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/g.rodola%40gmail.com" rel="noreferrer" target="_blank">https://mail.python.org/<wbr>mailman/options/python-dev/g.<wbr>rodola%40gmail.com</a><br>

</div></div></blockquote></div><br>It took me a while to understand the security implications of this FTP-related bug, but I believe I got the gist of it here (I can elaborate further if it's not clear):</div><div class="gmail_extra"><a href="https://github.com/python/cpython/pull/1214#issuecomment-298393169">https://github.com/python/cpython/pull/1214#issuecomment-298393169</a></div><div class="gmail_extra">My proposal is to fix ftplib.py and guard against malicious strings involving the *PORT command only*. This way we fix the issue *and* maintain backward compatibility by allowing users to specify "\n" in their paths and username / password pairs. Java took a different approach and disallowed "\n" completely.</div><div class="gmail_extra">To my understanding fixing ftplib would automatically mean fixing urllib as well.</div><div class="gmail_extra"><div><br></div><div>-- <br></div><div class="gmail_signature"><div dir="ltr"><div>Giampaolo - <a href="http://grodola.blogspot.com" target="_blank">http://grodola.blogspot.com</a></div><div><br></div></div></div>

</div></div>