Gregory P. Smith <g...@krypto.org> added the comment:

I'm not interested in chasing down a CVE for this myself.  If anyone wants to 
jump through the hoops to obtain one, the text used for curl in the hackerone 
link is likely a good guide.

My PR includes a way for people to opt-out of the secure behavior (why would 
anyone ever want that?) by setting the use_untrusted_server_pasv_ipv4_addr 
attribute to True on their ftplib.FTP instance.  Setting that attribute on a 
server lacking this fix is a no-op, making it safe to add to code running on 
any version.

This is an embarrassingly old widespread common issue in a large number of ftp 
clients.  Even the 1998 IPv6 RFC https://tools.ietf.org/html/rfc2428 indirectly 
acknowledges its existence by disallowing the new EPSV command that replaces 
PASV from returning anything other than the port number while leaving fields 
for the other values present but empty...

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43285>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to