]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 168a3c8) | patch
[3.15] gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648) (#149792)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Fri, 15 May 2026 10:50:45 +0000 (12:50 +0200)
committerGitHub <noreply@github.com>
Fri, 15 May 2026 10:50:45 +0000 (10:50 +0000)
commit5dadc64673ce875ebfb24163907777dae0f6ca06
tree759909394332b8ed2e55782892aed2bc198ef054tree | snapshot
parent168a3c85be3f34dcd4175311a0bac558dcaa5ef7commit | diff
[3.15] gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648) (#149792)

gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648)

ftpcp() called parse227() directly and passed the source server's
self-reported PASV IPv4 address to the target server's PORT command,
bypassing the CVE-2021-4189 fix that was applied only to FTP.makepasv().
A malicious source FTP server could use this to redirect the target
server's data connection to an arbitrary host:port (SSRF).

ftpcp() now uses the source server's actual peer address, honoring the
existing trust_server_pasv_ipv4_address opt-out, the same as makepasv().

Thanks to Qi Ding at Aurascape AI for the report. (GHSA-w8c5-q2xf-gf7c)
(cherry picked from commit eac4fe3b2c77693790a5ef7dfab127c1fee81bf9)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Lib/ftplib.py diff | blob | blame | history
Lib/test/test_ftplib.py diff | blob | blame | history
Misc/NEWS.d/next/Security/2026-05-10-18-05-32.gh-issue-87451.XkKB6M.rst [new file with mode: 0644] blob
Mirror of https://github.com/python/cpython.git