[issue43285] ftplib use host from PASV response

Gregory P. Smith added the comment: I'm not interested in chasing down a CVE for this myself. If anyone wants to jump through the hoops to obtain one, the text used for curl in the hackerone link is likely a good guide. My PR includes a way for people to opt-out of the secure behavior (why

[issue43285] ftplib use host from PASV response

Change by Gregory P. Smith : -- keywords: +patch pull_requests: +23603 stage: needs patch -> patch review pull_request: https://github.com/python/cpython/pull/24838 ___ Python tracker

[issue43285] ftplib use host from PASV response

Gregory P. Smith added the comment: Indeed, the `host` on that line there should just be ignored with the IP address of the original data connection used in its place. Your https://hackerone.com/reports/1040166 link provides plenty of information and likes to prior art mitigations other ftp

[issue43285] ftplib use host from PASV response

confd0 added the comment: Any response here? If you need more information let me know. -- ___ Python tracker ___ ___ Python-bugs-li

[issue43285] ftplib use host from PASV response

Change by hai shi : -- nosy: +giampaolo.rodola ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.p

[issue43285] ftplib use host from PASV response

New submission from RiceX Star : Last year, curl had a security update for CVE-2020-8284. more info, see https://hackerone.com/reports/1040166 The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting back to a given IP add