]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
projects / thirdparty / Python / cpython.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 49d0867) | patch
[3.13] gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648) (#149794)
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Wed, 13 May 2026 17:58:26 +0000 (19:58 +0200)
committerGitHub <noreply@github.com>
Wed, 13 May 2026 17:58:26 +0000 (17:58 +0000)
commitbb3446dda6c49b32e67c11dbbbf221b40be00763
treeb976a0b88acdefeffeda2497f535249ddcc00ee1tree | snapshot
parent49d08674d8dba50dc29539e3c7bce21d66066b06commit | diff
[3.13] gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648) (#149794)

gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648)

ftpcp() called parse227() directly and passed the source server's
self-reported PASV IPv4 address to the target server's PORT command,
bypassing the CVE-2021-4189 fix that was applied only to FTP.makepasv().
A malicious source FTP server could use this to redirect the target
server's data connection to an arbitrary host:port (SSRF).

ftpcp() now uses the source server's actual peer address, honoring the
existing trust_server_pasv_ipv4_address opt-out, the same as makepasv().

Thanks to Qi Ding at Aurascape AI for the report. (GHSA-w8c5-q2xf-gf7c)
(cherry picked from commit eac4fe3b2c77693790a5ef7dfab127c1fee81bf9)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Lib/ftplib.py diff | blob | blame | history
Lib/test/test_ftplib.py diff | blob | blame | history
Misc/NEWS.d/next/Security/2026-05-10-18-05-32.gh-issue-87451.XkKB6M.rst [new file with mode: 0644] blob
Mirror of https://github.com/python/cpython.git