.. _ftplib-pasv:

ftplib should not use the host from the PASV response
=====================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

The IPv4 address value returned from the server in response to the PASV
command should not be trusted. This prevents a malicious FTP server from
using the response to probe IPv4 address and port combinations on the
client network.

Instead of using the returned address, we use the IP address we're already
connected to. This is the strategy other ftp clients adopted, and matches
the only strategy available for the modern IPv6 EPSV command where the
server response must return a port number and nothing else.

Dates:

* Disclosure date: **2021-02-21** (Python issue bpo-43285 reported)

Fixed In
--------

* Python **3.6.14** (2021-06-28) fixed by `commit 4134f15 (branch 3.6) <https://github.com/python/cpython/commit/4134f154ae2f621f25c5d698cc0f1748035a1b88>`_ (2021-03-16)
* Python **3.7.11** (2021-06-28) fixed by `commit 7937395 (branch 3.7) <https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33>`_ (2021-03-16)
* Python **3.8.9** (2021-04-02) fixed by `commit 664d1d1 (branch 3.8) <https://github.com/python/cpython/commit/664d1d16274b47eea6ec92572e1ebf3939a6fa0c>`_ (2021-03-15)
* Python **3.9.3** (2021-04-02) fixed by `commit 7dcb4ba (branch 3.9) <https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335>`_ (2021-03-15)
* Python **3.10.0** (2021-10-04) fixed by `commit 0ab152c (branch 3.10) <https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e>`_ (2021-03-15)

Python issue
------------

ftplib should not use the host from the PASV response.

* Python issue: `bpo-43285 <https://bugs.python.org/issue43285>`_
* Creation date: 2021-02-21
* Reporter: confd0

Timeline
--------

Timeline using the disclosure date **2021-02-21** as reference:

* 2021-02-21: `Python issue bpo-43285 <https://bugs.python.org/issue43285>`_ reported by confd0
* 2021-03-15 (**+22 days**): `commit 0ab152c (branch 3.10) <https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e>`_
* 2021-03-15 (**+22 days**): `commit 664d1d1 (branch 3.8) <https://github.com/python/cpython/commit/664d1d16274b47eea6ec92572e1ebf3939a6fa0c>`_
* 2021-03-15 (**+22 days**): `commit 7dcb4ba (branch 3.9) <https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335>`_
* 2021-03-16 (**+23 days**): `commit 4134f15 (branch 3.6) <https://github.com/python/cpython/commit/4134f154ae2f621f25c5d698cc0f1748035a1b88>`_
* 2021-03-16 (**+23 days**): `commit 7937395 (branch 3.7) <https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33>`_
* 2021-04-02 (**+40 days**): Python 3.8.9 released
* 2021-04-02 (**+40 days**): Python 3.9.3 released
* 2021-06-28 (**+127 days**): Python 3.6.14 released
* 2021-06-28 (**+127 days**): Python 3.7.11 released
* 2021-10-04: Python 3.10.0 released

Links
-----

* curl vulnerability: `CVE-2020-8284: trusting FTP PASV responses <https://hackerone.com/reports/1040166>`_.