[Python-Dev] Python FTP Injections Allow for Firewall Bypass (oss-security advisory)

Guido van Rossum guido at python.org
Tue Jun 20 19:06:49 EDT 2017


I think that the first email about this was received from Timothy D. Morgan
on 1/15/16. You should be able to get confirmation of this from Christian
Heimes. I think that was a dark year for the PSRT.

On Tue, Jun 20, 2017 at 3:35 PM, Victor Stinner <victor.stinner at gmail.com>
wrote:

> Hi,
>
> Re: "[Python-Dev] Python FTP Injections Allow for Firewall Bypass
> (oss-security advisory)"
>
> 2017-02-24 5:36 GMT+01:00 Steven D'Aprano <steve at pearwood.info>:
> > I am not qualified to judge the merits of this, but it does seem
> > worrying that (alledgedly) the Python security team hasn't responded for
> > over 12 months.
> >
> > Is anyone able to comment?
>
> I don't have the archives of the PSRT mailing list and I'm not sure
> that I was subscribed when "the" email was sent. Does someone have the
> date of this email? It's to complete the new entry in my doc:
> http://python-security.readthedocs.io/vuln/urllib_
> ftp_protocol_stream_injection.html#urllib-ftp-protocol-stream-injection
>
> I don't want to blame anyone, I just want to collect data to help us
> to enhance our process to handle security vulnerabilities.
>
> FYI I tried to take care of a few security vulnerabilities recently,
> and as expected, each issue is more tricky than expected :-)
>
> While fixing http://bugs.python.org/issue30500 I noticed that urllib
> accepts newline characters in URLs. I don't know if it's deliberate or
> not... So I created a new issue http://bugs.python.org/issue30713
>
> I updated expat from 2.1.1 to 2.2.0, but now the compilation fails in
> 2.7 on Windows with Visual Studio 2008. And just when I was done,
> expat 2.2.1 was released. I have to do the same job again :-)
>
> Victor
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/
> guido%40python.org
>



-- 
--Guido van Rossum (python.org/~guido)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20170620/99421303/attachment.html>


More information about the Python-Dev mailing list