git.ipfire.org Git - thirdparty/Python/cpython.git/commit

author	Gregory P. Smith <68491+gpshead@users.noreply.github.com>
	Wed, 13 May 2026 17:33:43 +0000 (10:33 -0700)
committer	GitHub <noreply@github.com>
	Wed, 13 May 2026 17:33:43 +0000 (17:33 +0000)
commit	eac4fe3b2c77693790a5ef7dfab127c1fee81bf9
tree	e00bd24cf4b8041169b17236d6d610284051fbf6	tree \| snapshot
parent	125f26358ac7ecab98095fa85490e5465bdad698	commit \| diff

gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp() (GH-149648)

ftpcp() called parse227() directly and passed the source server's
self-reported PASV IPv4 address to the target server's PORT command,
bypassing the CVE-2021-4189 fix that was applied only to FTP.makepasv().
A malicious source FTP server could use this to redirect the target
server's data connection to an arbitrary host:port (SSRF).

ftpcp() now uses the source server's actual peer address, honoring the
existing trust_server_pasv_ipv4_address opt-out, the same as makepasv().

Thanks to Qi Ding at Aurascape AI for the report. (GHSA-w8c5-q2xf-gf7c)

Lib/ftplib.py		diff \| blob \| blame \| history
Lib/test/test_ftplib.py		diff \| blob \| blame \| history
Misc/NEWS.d/next/Security/2026-05-10-18-05-32.gh-issue-87451.XkKB6M.rst	[new file with mode: 0644]	blob