Commita27bc4f

gpshead

authored and

miss-islington

committed

[3.8] bpo-43285 Make ftplib not trust the PASV response. (pythonGH-24838) (pythonGH-24881)

bpo-43285: Make ftplib not trust the PASV response.The IPv4 address value returned from the server in response to the PASV commandshould not be trusted. This prevents a malicious FTP server from using theresponse to probe IPv4 address and port combinations on the client network.Instead of using the returned address, we use the IP address we'realready connected to. This is the strategy other ftp clients adopted,and matches the only strategy available for the modern IPv6 EPSV commandwhere the server response must return a port number and nothing else.For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`attribute on your `ftplib.FTP` instance to True..(cherry picked from commit0ab152c)Co-authored-by: Gregory P. Smith <greg@krypto.org>(cherry picked from commit664d1d1)Co-authored-by: Gregory P. Smith <greg@krypto.org>

1 parenta99860e commita27bc4fCopy full SHA for a27bc4f

File tree

3 files changed

+42

-2

lines changed

Lib
- ftplib.py
- test
  - test_ftplib.py
Misc/NEWS.d/next/Security
- 2021-03-13-03-48-14.bpo-43285.g-Hah3.rst

3 files changed

+42

-2

lines changed

`‎Lib/ftplib.py‎`

Lines changed: 8 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,8 @@ class FTP:`
`104`	`104`	`welcome=None`
`105`	`105`	`passiveserver=1`
`106`	`106`	`encoding="latin-1"`
	`107`	`+# Disables https://bugs.python.org/issue43285 security if set to True.`
	`108`	`+trust_server_pasv_ipv4_address=False`
`107`	`109`
`108`	`110`	`# Initialization method (called by class instantiation).`
`109`	`111`	`# Initialize host to localhost, port to standard ftp port`
`@@ -333,8 +335,13 @@ def makeport(self):`
`333`	`335`	`returnsock`
`334`	`336`
`335`	`337`	`defmakepasv(self):`
	`338`	`+"""Internal: Does the PASV or EPSV handshake -> (address, port)"""`
`336`	`339`	`ifself.af==socket.AF_INET:`
`337`		`-host,port=parse227(self.sendcmd('PASV'))`
	`340`	`+untrusted_host,port=parse227(self.sendcmd('PASV'))`
	`341`	`+ifself.trust_server_pasv_ipv4_address:`
	`342`	`+host=untrusted_host`
	`343`	`+else:`
	`344`	`+host=self.sock.getpeername()[0]`
`338`	`345`	`else:`
`339`	`346`	`host,port=parse229(self.sendcmd('EPSV'),self.sock.getpeername())`
`340`	`347`	`returnhost,port`

`‎Lib/test/test_ftplib.py‎`

Lines changed: 26 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,10 @@ def __init__(self, conn):`
`94`	`94`	`self.rest=None`
`95`	`95`	`self.next_retr_data=RETR_DATA`
`96`	`96`	`self.push('220 welcome')`
	`97`	`+# We use this as the string IPv4 address to direct the client`
	`98`	`+# to in response to a PASV command. To test security behavior.`
	`99`	`+# https://bugs.python.org/issue43285/.`
	`100`	`+self.fake_pasv_server_ip='252.253.254.255'`
`97`	`101`
`98`	`102`	`defcollect_incoming_data(self,data):`
`99`	`103`	`self.in_buffer.append(data)`
`@@ -136,7 +140,8 @@ def cmd_pasv(self, arg):`
`136`	`140`	`sock.bind((self.socket.getsockname()[0],0))`
`137`	`141`	`sock.listen()`
`138`	`142`	`sock.settimeout(TIMEOUT)`
`139`		`-ip,port=sock.getsockname()[:2]`
	`143`	`+port=sock.getsockname()[1]`
	`144`	`+ip=self.fake_pasv_server_ip`
`140`	`145`	`ip=ip.replace('.',',');p1=port/256;p2=port%256`
`141`	`146`	`self.push('227 entering passive mode (%s,%d,%d)'%(ip,p1,p2))`
`142`	`147`	`conn,addr=sock.accept()`
`@@ -698,6 +703,26 @@ def test_makepasv(self):`
`698`	`703`	`# IPv4 is in use, just make sure send_epsv has not been used`
`699`	`704`	`self.assertEqual(self.server.handler_instance.last_received_cmd,'pasv')`
`700`	`705`
	`706`	`+deftest_makepasv_issue43285_security_disabled(self):`
	`707`	`+"""Test the opt-in to the old vulnerable behavior."""`
	`708`	`+self.client.trust_server_pasv_ipv4_address=True`
	`709`	`+bad_host,port=self.client.makepasv()`
	`710`	`+self.assertEqual(`
	`711`	`+bad_host,self.server.handler_instance.fake_pasv_server_ip)`
	`712`	`+# Opening and closing a connection keeps the dummy server happy`
	`713`	`+# instead of timing out on accept.`
	`714`	`+socket.create_connection((self.client.sock.getpeername()[0],port),`
	`715`	`+timeout=TIMEOUT).close()`
	`716`	`+`
	`717`	`+deftest_makepasv_issue43285_security_enabled_default(self):`
	`718`	`+self.assertFalse(self.client.trust_server_pasv_ipv4_address)`
	`719`	`+trusted_host,port=self.client.makepasv()`
	`720`	`+self.assertNotEqual(`
	`721`	`+trusted_host,self.server.handler_instance.fake_pasv_server_ip)`
	`722`	`+# Opening and closing a connection keeps the dummy server happy`
	`723`	`+# instead of timing out on accept.`
	`724`	`+socket.create_connection((trusted_host,port),timeout=TIMEOUT).close()`
	`725`	`+`
`701`	`726`	`deftest_with_statement(self):`
`702`	`727`	`self.client.quit()`
`703`	`728`

`‎Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,8 @@`
	`1`	+:mod:`ftplib` no longer trusts the IP address value returned from the server
	`2`	`+in response to the PASV command by default. This prevents a malicious FTP`
	`3`	`+server from using the response to probe IPv4 address and port combinations`
	`4`	`+on the client network.`
	`5`	`+`
	`6`	`+Code that requires the former vulnerable behavior may set a`
	`7`	+``trust_server_pasv_ipv4_address`` attribute on their
	`8`	+:class:`ftplib.FTP` instances to ``True`` to re-enable it.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita27bc4f

File tree

3 files changed

3 files changed

`‎Lib/ftplib.py‎`

`‎Lib/test/test_ftplib.py‎`

`‎Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst‎`

0 commit comments