urllib FTP protocol stream injection

FTP protocol stream injection via malicious URLs.


  • Disclosure date: 2017-02-20 (blog post, mail to oss-security)
  • Reported at: 2016-01-15 (email sent to the PSRT list)
  • Reported by: Timothy D. Morgan (Blindspot)

Fixed In

Python issue

(ftplib) A remote attacker could possibly attack by containing the newline characters.

  • Python issue: bpo-30119
  • Creation date: 2017-04-20
  • Reporter: Dong-hee Na


Timeline using the disclosure date 2017-02-20 as reference: