[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Change by Ned Deily :


--
Removed message: https://bugs.python.org/msg342096

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Ned Deily  added the comment:


New changeset 2a5a26c87e82c7d9a348792891feccd1b5e9a769 by larryhastings 
(Dong-hee Na) in branch '3.4':
[3.4] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal 
command (#1214) (#2893)
https://github.com/python/cpython/commit/2a5a26c87e82c7d9a348792891feccd1b5e9a769


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Changes by Ned Deily :


--
priority: release blocker -> 
resolution:  -> fixed
stage: backport needed -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Larry Hastings]

Larry Hastings added the comment:


New changeset 2a5a26c87e82c7d9a348792891feccd1b5e9a769 by larryhastings 
(Dong-hee Na) in branch '3.4':
[3.4] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal 
command (#1214) (#2893)
https://github.com/python/cpython/commit/2a5a26c87e82c7d9a348792891feccd1b5e9a769


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[STINNER Victor]

STINNER Victor added the comment:


New changeset e5eae474c431af2880a68f6329840b9288fc4bc1 by Victor Stinner 
(Dong-hee Na) in branch '2.7':
[2.7] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal 
command (#1214) (#2894)
https://github.com/python/cpython/commit/e5eae474c431af2880a68f6329840b9288fc4bc1


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Giampaolo Rodola']

Giampaolo Rodola' added the comment:

AFAIK its only use case is to escape \r and \n.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[STINNER Victor]

STINNER Victor added the comment:

Victor> What about rejecting also NUL byte?
Giampaolo Rodola'> I don't it would make any difference at this point.

I asked because I read that filenames containing newlines can be escaped using 
\n\0. So it seems like "embedded" NUL bytes have a special semantic in FTP.
http://bugs.python.org/issue29606#msg292677

I have no opinion on NUL bytes. It's just that I saw them mentionned somewhere 
in the discussion, but I failed to see a rationale to accept or reject them.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Changes by Dong-hee Na :


--
pull_requests: +2946

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Changes by Dong-hee Na :


--
pull_requests: +2945

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Giampaolo Rodola']

Giampaolo Rodola' added the comment:

> What about rejecting also NUL byte?

I don't it would make any difference at this point.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[STINNER Victor]

STINNER Victor added the comment:

@corona10: Cool, 3.3, 3.5, 3.6 and master are fixed. Would you mind to create 
also backports for 2.7 and 3.4, please?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[STINNER Victor]

STINNER Victor added the comment:


New changeset 8c2d4cf092c5f0335e7982392a33927579c4d512 by Victor Stinner 
(Dong-hee Na) in branch '3.6':
[3.6] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal 
command (#1214) (#2886)
https://github.com/python/cpython/commit/8c2d4cf092c5f0335e7982392a33927579c4d512


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Ned Deily added the comment:


New changeset 19b2890014d3098147d16475c492a47a43893768 by Ned Deily (Dong-hee 
Na) in branch '3.5':
[3.5] [security] bpo-30119: fix ftplib.FTP.putline() to throw an error for a 
illegal command (#1214) (#2887)
https://github.com/python/cpython/commit/19b2890014d3098147d16475c492a47a43893768


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Changes by Dong-hee Na :


--
pull_requests: +2939

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Changes by Dong-hee Na :


--
pull_requests: +2938

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Ned Deily added the comment:


New changeset a4e774f86224cd8c997deaa4e71312cf1a7b023c by Ned Deily (Dong-hee 
Na) in branch '3.3':
[3.3] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal 
command (#1214) (#2885)
https://github.com/python/cpython/commit/a4e774f86224cd8c997deaa4e71312cf1a7b023c


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Changes by Dong-hee Na :


--
pull_requests: +2937

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Dong-hee Na added the comment:

Okay, I will send backport today.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Ned Deily added the comment:

Just FYI, if the backports to 3.5, 3.4, and 3.3 happen *really* fast, we 
*might* be able to get them into the current round of releases, if Larry 
approves for 3.5.4 final and 3.4.7 final.  If the 3.3 backport doesn't happen 
soon, 3.3 will reach end of life without it.

--
keywords: +security_issue
nosy: +benjamin.peterson, georg.brandl, larry, ned.deily
priority: normal -> release blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[STINNER Victor]

STINNER Victor added the comment:

I closed bpo-29606 as a duplicate of this bug.

--
superseder: urllib FTP protocol stream injection -> 

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[STINNER Victor]

STINNER Victor added the comment:

What about rejecting also NUL byte?

--
status: pending -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Changes by Ned Deily :


--
status: open -> pending

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Ned Deily]

Changes by Ned Deily :


--
nosy: +haypo
status: pending -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Giampaolo Rodola']

Giampaolo Rodola' added the comment:

Reopening as it needs backports for 2.7, 3.3, 3.4, 3.5 and 3.6.

--
resolution: duplicate -> 
stage: resolved -> backport needed
status: closed -> pending
versions: +Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Giampaolo Rodola']

Giampaolo Rodola' added the comment:


New changeset 2b1e6e9696cb433c0e0da11145157d54275d119f by Giampaolo Rodola 
(Dong-hee Na) in branch 'master':
bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command 
(#1214)
https://github.com/python/cpython/commit/2b1e6e9696cb433c0e0da11145157d54275d119f


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Berker Peksag]

Changes by Berker Peksag :


--
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Giampaolo Rodola']

Giampaolo Rodola' added the comment:

The relevant discussion of this bug is happening in 
https://github.com/python/cpython/pull/1214.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Martin Panter]

Martin Panter added the comment:

I suggest to close this as a duplicate. The pull request itself looks like the 
right direction to me, but let’s not split the discussion up more than 
necessary.

--
nosy: +martin.panter
resolution:  -> duplicate
superseder:  -> urllib FTP protocol stream injection

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Dong-hee Na added the comment:

'\ r' -> '\r'
'\ n' -> '\n'

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Dong-hee Na added the comment:

One of the purposes of the JDK patch is to prevent '\ r' and '\ n' from being 
inserted into the ftp command. In particular, it seems to assume that if 
another malice command is inserted after '\ n', the possibility of such an 
attack will be opened at a later time.
IMO, I think that we can block '\ r \ n' and '\ n' at the same time by blocking 
only '\ n'. Although '\ r' allows

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Giampaolo Rodola']

Changes by Giampaolo Rodola' :


--
nosy: +giampaolo.rodola

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30119] (ftplib) A remote attacker could possibly attack by containing the newline characters

[Dong-hee Na]

Changes by Dong-hee Na :


--
title: A remote attacker could possibly use this flaw to manipulate an FTP 
connection opened by a Python application -> (ftplib) A remote attacker could 
possibly attack by containing the newline characters

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com