urllib FTP protocol stream injection


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

FTP protocol stream injection via malicious URLs.


  • Disclosure date: 2017-02-20 (blog post, mail to oss-security)
  • Reported at: 2016-01-15 (email sent to the PSRT list)
  • Reported by: Timothy D. Morgan (Blindspot)

Fixed In

Python issue

(ftplib) A remote attacker could possibly attack by containing the newline characters.

  • Python issue: bpo-30119
  • Creation date: 2017-04-20
  • Reporter: Dong-hee Na


Timeline using the disclosure date 2017-02-20 as reference: