Skip to content

Be 3130 CVE 2021 4189 #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MatthewZMD merged 2 commits into from
Feb 13, 2024
Merged

Be 3130 CVE 2021 4189 #36

MatthewZMD merged 2 commits into from
Feb 13, 2024

Conversation

@rickprice
Copy link

@rickprice rickprice commented Feb 13, 2024

Fixes for CVE-2021-4189

rickprice and others added 2 commits February 13, 2024 10:44
@rickprice @gpshead
CVE-2021-4189 cherry-pick Fix 4134f15
73bb207 
[3.6] bpo-43285 Make ftplib not trust the PASV response. (pythonGH-24838) (G…

…H-24881) (pythonGH-24882)

The IPv4 address value returned from the server in response to the PASV command
should not be trusted.  This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.

Instead of using the returned address, we use the IP address we're
already connected to.  This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.

For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 664d1d1)
@rickprice
CVE-2021-4189 More fixes to get tests passing
9c666f7 
Various things that need to be fixed to make things work in Python2 land
MatthewZMD
MatthewZMD reviewed Feb 13, 2024
View reviewed changes
Copy link

@MatthewZMD MatthewZMD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rickprice rickprice requested review from MatthewZMD and removed request for icanhasmath February 13, 2024 19:58
@MatthewZMD MatthewZMD merged commit eb5615d into 2.7 Feb 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@MatthewZMD MatthewZMD MatthewZMD approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rickprice @MatthewZMD