ecbftw added the comment:
I'm the guy that did the original security research on this issue. I've been a
pentester for over 12 years, where I am regularly helping developers understand
how to best correct their injection flaws. Please carefully consider what I'm
trying to tell you. I've been
ecbftw added the comment:
> What is wrong with an URL containing '\n'? I suppose that when format a
> request with a text protocol, embedded '\n' can split the request line on two
> lines and inject a new command. The most robust way would be to check whether
> the formatted line
ecbftw added the comment:
> The best place to reject invalid characters is where the URL is parsed, no?
> See also my bpo-30713.
No I don't really agree with that. What other APIs can be used to submit a
directory name, user name, password, or other field in an FTP command? If you
ecbftw added the comment:
It was just pointed out by @giampaolo in
(https://github.com/python/cpython/pull/1214) that an escaping mechanism does
actually exist for FTP, as defined in RFC-2640. The relevant passage is as
follows:
When a character is encountered as part of a pathname
New submission from ecbftw:
Please see:
http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
This was reported to security at python dot org, but as far as I can tell, they
sat on it for a year.
I don't think there is a proper way to encode newlines in CWD
