Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storch...@gmail.com> a écrit :
I think the only reliable way of fixing the vulnerability is rejecting or escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the support of RFC 2640 is a new feature and can be added only in 3.7. And this feature should be optional since not all servers support RFC 2640. https://github.com/python/cpython/pull/1214 does the right thing. In that case, I suggest to reject newlines in ftplib, and maybe add an opt-in option to escape newlines. Java just rejected newlines, no? Or does Java allows to escape them? Victor
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
