mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-09-26 18:29:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

bpo-43285 Make ftplib not trust the PASV response. (GH-24838)

Browse source 
bpo-43285: Make ftplib not trust the PASV response.

The IPv4 address value returned from the server in response to the PASV command
should not be trusted.  This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.

Instead of using the returned address, we use the IP address we're
already connected to.  This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.

For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True.
This commit is contained in:
Gregory P. Smith 2021-03-15 11:39:31 -07:00 committed by GitHub
parent 93d33b47af
commit 0ab152c6b5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
Lib/ftplib.py
View file

@ -102,7 +102,9 @@ class FTP:
sock = None sock = None
file = None file = None
welcome = None welcome = None
passiveserver = 1 passiveserver = True
# Disables https://bugs.python.org/issue43285 security if set to True.
trust_server_pasv_ipv4_address = False
def __init__(self, host='', user='', passwd='', acct='', def __init__(self, host='', user='', passwd='', acct='',
timeout=_GLOBAL_DEFAULT_TIMEOUT, source_address=None, *, timeout=_GLOBAL_DEFAULT_TIMEOUT, source_address=None, *,
@ -320,8 +322,13 @@ class FTP:
return sock return sock
def makepasv(self): def makepasv(self):
"""Internal: Does the PASV or EPSV handshake -> (address, port)"""
if self.af == socket.AF_INET: if self.af == socket.AF_INET:
host, port = parse227(self.sendcmd('PASV')) untrusted_host, port = parse227(self.sendcmd('PASV'))
if self.trust_server_pasv_ipv4_address:
host = untrusted_host
else:
host = self.sock.getpeername()[0]
else: else:
host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername()) host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
return host, port return host, port

27
Lib/test/test_ftplib.py
View file

@ -103,6 +103,10 @@ class DummyFTPHandler(asynchat.async_chat):
self.next_retr_data = RETR_DATA self.next_retr_data = RETR_DATA
self.push('220 welcome') self.push('220 welcome')
self.encoding = encoding self.encoding = encoding
# We use this as the string IPv4 address to direct the client
# to in response to a PASV command. To test security behavior.
# https://bugs.python.org/issue43285/.
self.fake_pasv_server_ip = '252.253.254.255'
def collect_incoming_data(self, data): def collect_incoming_data(self, data):
self.in_buffer.append(data) self.in_buffer.append(data)
@ -143,7 +147,8 @@ class DummyFTPHandler(asynchat.async_chat):
def cmd_pasv(self, arg): def cmd_pasv(self, arg):
with socket.create_server((self.socket.getsockname()[0], 0)) as sock: with socket.create_server((self.socket.getsockname()[0], 0)) as sock:
sock.settimeout(TIMEOUT) sock.settimeout(TIMEOUT)
ip, port = sock.getsockname()[:2] port = sock.getsockname()[1]
ip = self.fake_pasv_server_ip
ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256 ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256
self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2)) self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
conn, addr = sock.accept() conn, addr = sock.accept()
@ -707,6 +712,26 @@ class TestFTPClass(TestCase):
# IPv4 is in use, just make sure send_epsv has not been used # IPv4 is in use, just make sure send_epsv has not been used
self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv') self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
def test_makepasv_issue43285_security_disabled(self):
"""Test the opt-in to the old vulnerable behavior."""
self.client.trust_server_pasv_ipv4_address = True
bad_host, port = self.client.makepasv()
self.assertEqual(
bad_host, self.server.handler_instance.fake_pasv_server_ip)
# Opening and closing a connection keeps the dummy server happy
# instead of timing out on accept.
socket.create_connection((self.client.sock.getpeername()[0], port),
timeout=TIMEOUT).close()
def test_makepasv_issue43285_security_enabled_default(self):
self.assertFalse(self.client.trust_server_pasv_ipv4_address)
trusted_host, port = self.client.makepasv()
self.assertNotEqual(
trusted_host, self.server.handler_instance.fake_pasv_server_ip)
# Opening and closing a connection keeps the dummy server happy
# instead of timing out on accept.
socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
def test_with_statement(self): def test_with_statement(self):
self.client.quit() self.client.quit()

8
Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst Normal file
View file

@ -0,0 +1,8 @@
:mod:`ftplib` no longer trusts the IP address value returned from the server
in response to the PASV command by default. This prevents a malicious FTP
server from using the response to probe IPv4 address and port combinations
on the client network.
Code that requires the former vulnerable behavior may set a
``trust_server_pasv_ipv4_address`` attribute on their
:class:`ftplib.FTP` instances to ``True`` to re-enable it.