On Sat, Jul 22, 2017 at 6:38 PM, Victor Stinner <victor.stinner at gmail.com> wrote: > Le 22 juil. 2017 8:04 AM, "Serhiy Storchaka" <storchaka at gmail.com> a > écrit : > > I think the only reliable way of fixing the vulnerability is rejecting or > escaping (as specified in RFC 2640) CR and LF inside sent lines. Adding the > support of RFC 2640 is a new feature and can be added only in 3.7. And this > feature should be optional since not all servers support RFC 2640. > https://github.com/python/cpython/pull/1214 does the right thing. > > > In that case, I suggest to reject newlines in ftplib, and maybe add an > opt-in option to escape newlines. > > Java just rejected newlines, no? Or does Java allows to escape them? > > Victor > > OK, let's just reject \n then and be done with it. It's a rare use case after all. Java just rejects \n for all commands and does not support escaping (aka RFC 2640). -- Giampaolo - http://grodola.blogspot.com -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20170722/e360de38/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4