-
-
Notifications
You must be signed in to change notification settings - Fork 30k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
bpo-43285: Make ftplib not trust the PASV response. The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Instead of using the returned address, we use the IP address we're already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else. For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address` attribute on your `ftplib.FTP` instance to True.
- Loading branch information
Showing
3 changed files
with
43 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 8 additions & 0 deletions
8
Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
:mod:`ftplib` no longer trusts the IP address value returned from the server | ||
in response to the PASV command by default. This prevents a malicious FTP | ||
server from using the response to probe IPv4 address and port combinations | ||
on the client network. | ||
|
||
Code that requires the former vulnerable behavior may set a | ||
``trust_server_pasv_ipv4_address`` attribute on their | ||
:class:`ftplib.FTP` instances to ``True`` to re-enable it. |
0ab152c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not just a security issue, but also the possibility of the server returning an IP address different from that of the client due to various reasons, which may cause subsequent operations on the client side to fail. THS!