urllib FTP protocol stream injection¶
FTP protocol stream injection via malicious URLs.
Dates:
- Disclosure date: 2017-02-20 (blog post, mail to oss-security)
- Reported at: 2016-01-15 (email sent to the PSRT list)
- Reported by: Timothy D. Morgan (Blindspot)
Fixed In¶
- Python 2.7.14 (2017-09-17) fixed by commit e5eae47 (branch 2.7) (2017-07-26)
- Python 3.3.7 (2017-09-19) fixed by commit a4e774f (branch 3.3) (2017-07-26)
- Python 3.4.7 (2017-08-09) fixed by commit 2a5a26c (branch 3.4) (2017-07-27)
- Python 3.5.4 (2017-08-08) fixed by commit 19b2890 (branch 3.5) (2017-07-26)
- Python 3.6.3 (2017-10-03) fixed by commit 8c2d4cf (branch 3.6) (2017-07-26)
- Python 3.7.0 (2018-06-28) fixed by commit 2b1e6e9 (branch 3.7) (2017-07-22)
Python issue¶
(ftplib) A remote attacker could possibly attack by containing the newline characters.
- Python issue: bpo-30119
- Creation date: 2017-04-20
- Reporter: Dong-hee Na
Timeline¶
Timeline using the disclosure date 2017-02-20 as reference:
- 2016-01-15 (-402 days): Reported (email sent to the PSRT list)
- 2017-02-20: Disclosure date (blog post, mail to oss-security)
- 2017-04-20 (+59 days): Python issue bpo-30119 reported by Dong-hee Na
- 2017-07-22 (+152 days): commit 2b1e6e9 (branch 3.7)
- 2017-07-26 (+156 days): commit 19b2890 (branch 3.5)
- 2017-07-26 (+156 days): commit 8c2d4cf (branch 3.6)
- 2017-07-26 (+156 days): commit a4e774f (branch 3.3)
- 2017-07-26 (+156 days): commit e5eae47 (branch 2.7)
- 2017-07-27 (+157 days): commit 2a5a26c (branch 3.4)
- 2017-08-08 (+169 days): Python 3.5.4 released
- 2017-08-09 (+170 days): Python 3.4.7 released
- 2017-09-17 (+209 days): Python 2.7.14 released
- 2017-09-19 (+211 days): Python 3.3.7 released
- 2017-10-03 (+225 days): Python 3.6.3 released
- 2018-06-28: Python 3.7.0 released