From: Dong-hee Na Date: Wed, 26 Jul 2017 04:58:22 +0000 (+0900) Subject: [3.3] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command... X-Git-Tag: v3.3.7rc1~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a4e774f86224cd8c997deaa4e71312cf1a7b023c;p=thirdparty%2FPython%2Fcpython.git [3.3] bpo-30119: fix ftplib.FTP.putline() to throw an error for a illegal command (#1214) (#2885) --- diff --git a/Lib/ftplib.py b/Lib/ftplib.py index 5e75e6d4227a..ca7225f1d940 100644 --- a/Lib/ftplib.py +++ b/Lib/ftplib.py @@ -185,6 +185,8 @@ class FTP: # Internal: send one line to the server, appending CRLF def putline(self, line): + if '\r' in line or '\n' in line: + raise ValueError('an illegal newline character should not be contained') line = line + CRLF if self.debugging > 1: print('*put*', self.sanitize(line)) self.sock.sendall(line.encode(self.encoding)) diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py index 6c95c491ffdf..c5e6736f8ba1 100644 --- a/Lib/test/test_ftplib.py +++ b/Lib/test/test_ftplib.py @@ -480,6 +480,9 @@ class TestFTPClass(TestCase): self.assertEqual(self.client.sanitize('PASS 12345'), repr('PASS *****')) def test_exceptions(self): + self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\r\n0') + self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\n0') + self.assertRaises(ValueError, self.client.sendcmd, 'echo 40\r0') self.assertRaises(ftplib.error_temp, self.client.sendcmd, 'echo 400') self.assertRaises(ftplib.error_temp, self.client.sendcmd, 'echo 499') self.assertRaises(ftplib.error_perm, self.client.sendcmd, 'echo 500') @@ -488,7 +491,8 @@ class TestFTPClass(TestCase): def test_all_errors(self): exceptions = (ftplib.error_reply, ftplib.error_temp, ftplib.error_perm, - ftplib.error_proto, ftplib.Error, IOError, EOFError) + ftplib.error_proto, ftplib.Error, OSError, + EOFError) for x in exceptions: try: raise x('exception not included in all_errors set') diff --git a/Misc/NEWS b/Misc/NEWS index 68a332302b18..2b4d4e798980 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -39,6 +39,9 @@ Core and Builtins Library ------- +- bpo-30119: ftplib.FTP.putline() now throws ValueError on commands that contains + CR or LF. Patch by Dong-hee Na + - [Security] bpo-30730: Prevent environment variables injection in subprocess on Windows. Prevent passing other invalid environment variables and command arguments.