.. _urllib-ftp-stream-injection:

urllib FTP protocol stream injection
====================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This database can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=PSF>`_.

FTP protocol stream injection via malicious URLs.

Dates:

* Disclosure date: **2017-02-20** (blog post, mail to oss-security)
* Reported at: 2016-01-15 (email sent to the PSRT list)
* Reported by: Timothy D. Morgan (Blindspot)

Fixed In
--------

* Python **2.7.14** (2017-09-16) fixed by `commit e5eae47 (branch 2.7) <https://github.com/python/cpython/commit/e5eae474c431af2880a68f6329840b9288fc4bc1>`_ (2017-07-26)
* Python **3.3.7** (2017-09-19) fixed by `commit a4e774f (branch 3.3) <https://github.com/python/cpython/commit/a4e774f86224cd8c997deaa4e71312cf1a7b023c>`_ (2017-07-26)
* Python **3.4.7** (2017-08-09) fixed by `commit 2a5a26c (branch 3.4) <https://github.com/python/cpython/commit/2a5a26c87e82c7d9a348792891feccd1b5e9a769>`_ (2017-07-27)
* Python **3.5.4** (2017-08-07) fixed by `commit 19b2890 (branch 3.5) <https://github.com/python/cpython/commit/19b2890014d3098147d16475c492a47a43893768>`_ (2017-07-26)
* Python **3.6.3** (2017-10-03) fixed by `commit 8c2d4cf (branch 3.6) <https://github.com/python/cpython/commit/8c2d4cf092c5f0335e7982392a33927579c4d512>`_ (2017-07-26)
* Python **3.7.0** (2018-06-27) fixed by `commit 2b1e6e9 (branch 3.7) <https://github.com/python/cpython/commit/2b1e6e9696cb433c0e0da11145157d54275d119f>`_ (2017-07-22)

Python issue
------------

(ftplib) A remote attacker could possibly attack by containing the newline characters.

* Python issue: `bpo-30119 <https://bugs.python.org/issue30119>`_
* Creation date: 2017-04-20
* Reporter: Dong-hee Na

Timeline
--------

Timeline using the disclosure date **2017-02-20** as reference:

* 2016-01-15 (**-402 days**): Reported (email sent to the PSRT list)
* 2017-02-20: Disclosure date (blog post, mail to oss-security)
* 2017-04-20 (**+59 days**): `Python issue bpo-30119 <https://bugs.python.org/issue30119>`_ reported by Dong-hee Na
* 2017-07-22 (**+152 days**): `commit 2b1e6e9 (branch 3.7) <https://github.com/python/cpython/commit/2b1e6e9696cb433c0e0da11145157d54275d119f>`_
* 2017-07-26 (**+156 days**): `commit 19b2890 (branch 3.5) <https://github.com/python/cpython/commit/19b2890014d3098147d16475c492a47a43893768>`_
* 2017-07-26 (**+156 days**): `commit 8c2d4cf (branch 3.6) <https://github.com/python/cpython/commit/8c2d4cf092c5f0335e7982392a33927579c4d512>`_
* 2017-07-26 (**+156 days**): `commit a4e774f (branch 3.3) <https://github.com/python/cpython/commit/a4e774f86224cd8c997deaa4e71312cf1a7b023c>`_
* 2017-07-26 (**+156 days**): `commit e5eae47 (branch 2.7) <https://github.com/python/cpython/commit/e5eae474c431af2880a68f6329840b9288fc4bc1>`_
* 2017-07-27 (**+157 days**): `commit 2a5a26c (branch 3.4) <https://github.com/python/cpython/commit/2a5a26c87e82c7d9a348792891feccd1b5e9a769>`_
* 2017-08-07 (**+168 days**): Python 3.5.4 released
* 2017-08-09 (**+170 days**): Python 3.4.7 released
* 2017-09-16 (**+208 days**): Python 2.7.14 released
* 2017-09-19 (**+211 days**): Python 3.3.7 released
* 2017-10-03 (**+225 days**): Python 3.6.3 released
* 2018-06-27: Python 3.7.0 released

Links
-----

* http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html
* http://www.openwall.com/lists/oss-security/2017/02/20/1
* https://bugzilla.redhat.com/show_bug.cgi?id=1478916