On Sat, Jul 22, 2017 at 7:10 PM, Giampaolo Rodola' <g.rod...@gmail.com> wrote:
> > > On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner <victor.stin...@gmail.com> > wrote: > >> Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storch...@gmail.com> a >> écrit : >> >> I think the only reliable way of fixing the vulnerability is rejecting or >> escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the >> support of RFC 2640 is a new feature and can be added only in 3.7. And this >> feature should be optional since not all servers support RFC 2640. >> https://github.com/python/cpython/pull/1214 does the right thing. >> >> >> In that case, I suggest to reject newlines in ftplib, and maybe add an >> opt-in option to escape newlines. >> >> Java just rejected newlines, no? Or does Java allows to escape them? >> >> Victor >> >> > OK, let's just reject \n then and be done with it. It's a rare use case > after all. > Java just rejects \n for all commands and does not support escaping (aka > RFC 2640). > I've just merged the PR. There's the question whether to backport this to older versions, considering there's a small chance this may break some code/apps, but considering the chance is small and this a security fix I'd probably be +0.5 for backporting it (2.7 + 3.x - not sure up 'till when). -- Giampaolo - http://grodola.blogspot.com
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
