[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Change by Ned Deily : -- Removed message: https://bugs.python.org/msg342096 ___ Python tracker ___ ___ Python-bugs-list mailing

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Ned Deily added the comment: New changeset 2a5a26c87e82c7d9a348792891feccd1b5e9a769 by larryhastings (Dong-hee Na) in branch '3.4': [3.4] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2893)

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Ned Deily : -- priority: release blocker -> resolution: -> fixed stage: backport needed -> resolved status: open -> closed ___ Python tracker

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Larry Hastings added the comment: New changeset 2a5a26c87e82c7d9a348792891feccd1b5e9a769 by larryhastings (Dong-hee Na) in branch '3.4': [3.4] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2893)

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

STINNER Victor added the comment: New changeset e5eae474c431af2880a68f6329840b9288fc4bc1 by Victor Stinner (Dong-hee Na) in branch '2.7': [2.7] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2894)

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Giampaolo Rodola' added the comment: AFAIK its only use case is to escape \r and \n. -- ___ Python tracker ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

STINNER Victor added the comment: Victor> What about rejecting also NUL byte? Giampaolo Rodola'> I don't it would make any difference at this point. I asked because I read that filenames containing newlines can be escaped using \n\0. So it seems like "embedded" NUL bytes have a special

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Dong-hee Na : -- pull_requests: +2946 ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Dong-hee Na : -- pull_requests: +2945 ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Giampaolo Rodola' added the comment: > What about rejecting also NUL byte? I don't it would make any difference at this point. -- ___ Python tracker ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

STINNER Victor added the comment: @corona10: Cool, 3.3, 3.5, 3.6 and master are fixed. Would you mind to create also backports for 2.7 and 3.4, please? -- ___ Python tracker

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

STINNER Victor added the comment: New changeset 8c2d4cf092c5f0335e7982392a33927579c4d512 by Victor Stinner (Dong-hee Na) in branch '3.6': [3.6] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2886)

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Ned Deily added the comment: New changeset 19b2890014d3098147d16475c492a47a43893768 by Ned Deily (Dong-hee Na) in branch '3.5': [3.5] [security] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2887)

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Dong-hee Na : -- pull_requests: +2939 ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Dong-hee Na : -- pull_requests: +2938 ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Ned Deily added the comment: New changeset a4e774f86224cd8c997deaa4e71312cf1a7b023c by Ned Deily (Dong-hee Na) in branch '3.3': [3.3] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2885)

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Dong-hee Na : -- pull_requests: +2937 ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Dong-hee Na added the comment: Okay, I will send backport today. -- ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Ned Deily added the comment: Just FYI, if the backports to 3.5, 3.4, and 3.3 happen *really* fast, we *might* be able to get them into the current round of releases, if Larry approves for 3.5.4 final and 3.4.7 final. If the 3.3 backport doesn't happen soon, 3.3 will reach end of life without

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

STINNER Victor added the comment: I closed bpo-29606 as a duplicate of this bug. -- superseder: urllib FTP protocol stream injection -> ___ Python tracker

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

STINNER Victor added the comment: What about rejecting also NUL byte? -- status: pending -> open ___ Python tracker ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Ned Deily : -- status: open -> pending ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Ned Deily : -- nosy: +haypo status: pending -> open ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Giampaolo Rodola' added the comment: Reopening as it needs backports for 2.7, 3.3, 3.4, 3.5 and 3.6. -- resolution: duplicate -> stage: resolved -> backport needed status: closed -> pending versions: +Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Giampaolo Rodola' added the comment: New changeset 2b1e6e9696cb433c0e0da11145157d54275d119f by Giampaolo Rodola (Dong-hee Na) in branch 'master': bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214)

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Berker Peksag : -- stage: -> resolved status: open -> closed ___ Python tracker ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Giampaolo Rodola' added the comment: The relevant discussion of this bug is happening in https://github.com/python/cpython/pull/1214. -- ___ Python tracker

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Martin Panter added the comment: I suggest to close this as a duplicate. The pull request itself looks like the right direction to me, but let’s not split the discussion up more than necessary. -- nosy: +martin.panter resolution: -> duplicate superseder: -> urllib FTP protocol

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Dong-hee Na added the comment: '\ r' -> '\r' '\ n' -> '\n' -- ___ Python tracker ___ ___ Python-bugs-list

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Dong-hee Na added the comment: One of the purposes of the JDK patch is to prevent '\ r' and '\ n' from being inserted into the ftp command. In particular, it seems to assume that if another malice command is inserted after '\ n', the possibility of such an attack will be opened at a later

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Giampaolo Rodola' : -- nosy: +giampaolo.rodola ___ Python tracker ___ ___

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

Changes by Dong-hee Na : -- title: A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Python application -> (ftplib) A remote attacker could possibly attack by containing the newline characters