urllib FTP protocol stream injection

FTP protocol stream injection via malicious URLs.

  • Disclosure date: 2017-02-20 (blog post, mail to oss-security)
  • Reported at: 2016-01-15 (email sent to the PSRT list)
  • Reported by: Timothy D. Morgan (Blindspot)

Fixed In

Vulnerable Versions

  • Python 3.3
  • Python 3.6

Python issue

(ftplib) A remote attacker could possibly attack by containing the newline characters.

  • Python issue: issue #30119
  • Creation date: 2017-04-20
  • Reporter: Dong-hee Na

Timeline

Timeline using the disclosure date 2017-02-20 as reference:

  • 2016-01-15 (-402 days): Reported (email sent to the PSRT list)
  • 2017-02-20: Disclosure date (blog post, mail to oss-security)
  • 2017-04-20 (+59 days): Python issue #30119 reported by Dong-hee Na
  • 2017-07-26 (+156 days): commit 19b2890
  • 2017-07-26 (+156 days): commit e5eae47
  • 2017-07-27 (+157 days): commit 2a5a26c
  • 2017-08-08 (+169 days): Python 3.5.4 released
  • 2017-08-09 (+170 days): Python 3.4.7 released
  • 2017-09-17 (+209 days): Python 2.7.14 released