[Python-Dev] Need help to fix urllib(.parse) vulnerabilities
Giampaolo Rodola'
g.rodola at gmail.com
Fri Jul 21 08:43:18 EDT 2017
On Fri, Jul 21, 2017 at 12:45 PM, Victor Stinner <victor.stinner at gmail.com>
wrote:
> 2017-07-21 12:02 GMT+02:00 Victor Stinner <victor.stinner at gmail.com>:
> > https://bugs.python.org/issue29606
> > http://python-security.readthedocs.io/vuln/urllib_
> ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
> > => not fixed yet
>
> Ok, I more concrete problem. To fix the "urllib FTP" bug, we have to
> find a balance between security (reject any URL looking like an
> attempt to counter the security protections) and backward
> compatibility (accept filenames containing newlines).
>
> Maybe we need to only reject an URL which contains a newline in the
> "host" part, but accept them in the "path" part of the URL? The
> question is if the code splits correctly "host" and "path" parts when
> the URL contains a newline. My bet is that no, it behaves badly :-)
>
> Victor
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/g.
> rodola%40gmail.com
>
It took me a while to understand the security implications of this
FTP-related bug, but I believe I got the gist of it here (I can elaborate
further if it's not clear):
https://github.com/python/cpython/pull/1214#issuecomment-298393169
My proposal is to fix ftplib.py and guard against malicious strings
involving the *PORT command only*. This way we fix the issue *and* maintain
backward compatibility by allowing users to specify "\n" in their paths and
username / password pairs. Java took a different approach and disallowed
"\n" completely.
To my understanding fixing ftplib would automatically mean fixing urllib as
well.
--
Giampaolo - http://grodola.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170721/8a521db1/attachment.html>
More information about the Python-Dev
mailing list