[issue23130] Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem

2014-12-30 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset 8f92ab37dd3a by Benjamin Peterson in branch '2.7':
delete old ftpmirror script, which now has security bugs (closes #23130)
https://hg.python.org/cpython/rev/8f92ab37dd3a

New changeset 223d0927e27d by Benjamin Peterson in branch '3.2':
delete old ftpmirror script, which now has security bugs (closes #23130)
https://hg.python.org/cpython/rev/223d0927e27d

New changeset e15d93926e47 by Benjamin Peterson in branch '3.3':
merge 3.2 (#23130)
https://hg.python.org/cpython/rev/e15d93926e47

New changeset 483746c32296 by Benjamin Peterson in branch '3.4':
merge 3.3 (#23130)
https://hg.python.org/cpython/rev/483746c32296

New changeset 4b64d300a67a by Benjamin Peterson in branch 'default':
merge 3.4 (#23130)
https://hg.python.org/cpython/rev/4b64d300a67a

--
nosy: +python-dev
resolution:  -> fixed
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23130] Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem

2014-12-30 Thread R. David Murray 

R. David Murray added the comment:

I would guess that the most future-proof response to this would be to delete 
the script.  If we do keep it, it should definitely be fixed.

--
nosy: +r.david.murray

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue23130] Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem

2014-12-29 Thread Guido Vranken 

New submission from Guido Vranken:

Tools/scripts/ftpmirror.py does not guard against arbitrary path constructions, 
and, given a connection to a malicious FTP server (or a man in the middle 
attack), it is possible that any file on the client's filesystem gets 
overwritten. Ie,. if we suppose that ftpmirror.py is run from a "base 
directory" /home/xxx/yyy, file creations can occur outside this base directory, 
such as in /tmp, /etc, /var, just to give some examples.

I've constructed a partial proof of concept FTP server that demonstrates 
directory and file creation outside the base directory (the directory the 
client script was launched from). I understand that most of the files in 
Tools/scripts/ are legacy applications that have long been deprecated. However, 
if the maintainers think these applications should be safe nonetheless, I'll be 
happy to construct and submit a patch that will remediate this issue.

Guido Vranken
Intelworks

--
components: Demos and Tools
messages: 233189
nosy: Guido
priority: normal
severity: normal
status: open
title: Tools/scripts/ftpmirror.py allows overwriting arbitrary files on 
filesystem
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com