From 4b397c1b90df633187c6161615531437fe564f8c Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Sat, 13 Mar 2021 03:48:43 -0800 Subject: [PATCH 1/2] bpo-43285 Make ftplib not trust the PASV response. The IPv4 address value returned from the server in response to the PASV command should not be trusted. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. Instead of using the returned address, we use the IP address we're already connected to. This is the strategy other ftp clients adopted, and matches the only strategy available for the modern IPv6 EPSV command where the server response must return a port number and nothing else. --- Lib/ftplib.py | 11 ++++++-- Lib/test/test_ftplib.py | 27 ++++++++++++++++++- .../2021-03-13-03-48-14.bpo-43285.g-Hah3.rst | 4 +++ 3 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst diff --git a/Lib/ftplib.py b/Lib/ftplib.py index 1f760ed1ce0bf0..8828d3c7c3f177 100644 --- a/Lib/ftplib.py +++ b/Lib/ftplib.py @@ -102,7 +102,9 @@ class FTP: sock = None file = None welcome = None - passiveserver = 1 + passiveserver = True + # Disables https://bugs.python.org/issue43285 security if set to True. + use_untrusted_server_pasv_ipv4_addr = False def __init__(self, host='', user='', passwd='', acct='', timeout=_GLOBAL_DEFAULT_TIMEOUT, source_address=None, *, @@ -320,8 +322,13 @@ def makeport(self): return sock def makepasv(self): + """Internal: Does the PASV or EPSV handshake -> (address, port)""" if self.af == socket.AF_INET: - host, port = parse227(self.sendcmd('PASV')) + untrusted_host, port = parse227(self.sendcmd('PASV')) + if self.use_untrusted_server_pasv_ipv4_addr: + host = untrusted_host + else: + host = self.sock.getpeername()[0] else: host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername()) return host, port diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py index 2424911c7ac5e9..a89a951385587d 100644 --- a/Lib/test/test_ftplib.py +++ b/Lib/test/test_ftplib.py @@ -103,6 +103,10 @@ def __init__(self, conn, encoding=DEFAULT_ENCODING): self.next_retr_data = RETR_DATA self.push('220 welcome') self.encoding = encoding + # We use this as the string IPv4 address to direct the client + # to in response to a PASV command. To test security behavior. + # https://bugs.python.org/issue43285/. + self.fake_pasv_server_ip = '252.253.254.255' def collect_incoming_data(self, data): self.in_buffer.append(data) @@ -143,7 +147,8 @@ def cmd_port(self, arg): def cmd_pasv(self, arg): with socket.create_server((self.socket.getsockname()[0], 0)) as sock: sock.settimeout(TIMEOUT) - ip, port = sock.getsockname()[:2] + port = sock.getsockname()[1] + ip = self.fake_pasv_server_ip ip = ip.replace('.', ','); p1 = port / 256; p2 = port % 256 self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2)) conn, addr = sock.accept() @@ -707,6 +712,26 @@ def test_makepasv(self): # IPv4 is in use, just make sure send_epsv has not been used self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv') + def test_makepasv_issue43285_security_disabled(self): + """Test the opt-in to the old vulnerable behavior.""" + self.client.use_untrusted_server_pasv_ipv4_addr = True + bad_host, port = self.client.makepasv() + self.assertEqual( + bad_host, self.server.handler_instance.fake_pasv_server_ip) + # Opening and closing a connection keeps the dummy server happy + # instead of timing out on accept. + socket.create_connection((self.client.sock.getpeername()[0], port), + timeout=TIMEOUT).close() + + def test_makepasv_issue43285_security_enabled_default(self): + self.assertFalse(self.client.use_untrusted_server_pasv_ipv4_addr) + trusted_host, port = self.client.makepasv() + self.assertNotEqual( + trusted_host, self.server.handler_instance.fake_pasv_server_ip) + # Opening and closing a connection keeps the dummy server happy + # instead of timing out on accept. + socket.create_connection((trusted_host, port), timeout=TIMEOUT).close() + def test_with_statement(self): self.client.quit() diff --git a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst new file mode 100644 index 00000000000000..c481dd65d0483d --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst @@ -0,0 +1,4 @@ +:mod:`ftplib` no longer trusts the IP address value returned from the server +in response to the PASV command by default. This prevents a malicious FTP +server from using the response to probe IPv4 address and port combinations +on the client network. From 6003e2f6672696e415bc5023ce7a47a4b03488bd Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Sat, 13 Mar 2021 15:14:47 -0800 Subject: [PATCH 2/2] Rename the legacy behavior attribute and mention it in NEWS. `trust_server_pasv_ipv4_address` --- Lib/ftplib.py | 4 ++-- Lib/test/test_ftplib.py | 4 ++-- .../next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst | 4 ++++ 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/Lib/ftplib.py b/Lib/ftplib.py index 8828d3c7c3f177..7c5a50715f6dc6 100644 --- a/Lib/ftplib.py +++ b/Lib/ftplib.py @@ -104,7 +104,7 @@ class FTP: welcome = None passiveserver = True # Disables https://bugs.python.org/issue43285 security if set to True. - use_untrusted_server_pasv_ipv4_addr = False + trust_server_pasv_ipv4_address = False def __init__(self, host='', user='', passwd='', acct='', timeout=_GLOBAL_DEFAULT_TIMEOUT, source_address=None, *, @@ -325,7 +325,7 @@ def makepasv(self): """Internal: Does the PASV or EPSV handshake -> (address, port)""" if self.af == socket.AF_INET: untrusted_host, port = parse227(self.sendcmd('PASV')) - if self.use_untrusted_server_pasv_ipv4_addr: + if self.trust_server_pasv_ipv4_address: host = untrusted_host else: host = self.sock.getpeername()[0] diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py index a89a951385587d..154dce15e2c372 100644 --- a/Lib/test/test_ftplib.py +++ b/Lib/test/test_ftplib.py @@ -714,7 +714,7 @@ def test_makepasv(self): def test_makepasv_issue43285_security_disabled(self): """Test the opt-in to the old vulnerable behavior.""" - self.client.use_untrusted_server_pasv_ipv4_addr = True + self.client.trust_server_pasv_ipv4_address = True bad_host, port = self.client.makepasv() self.assertEqual( bad_host, self.server.handler_instance.fake_pasv_server_ip) @@ -724,7 +724,7 @@ def test_makepasv_issue43285_security_disabled(self): timeout=TIMEOUT).close() def test_makepasv_issue43285_security_enabled_default(self): - self.assertFalse(self.client.use_untrusted_server_pasv_ipv4_addr) + self.assertFalse(self.client.trust_server_pasv_ipv4_address) trusted_host, port = self.client.makepasv() self.assertNotEqual( trusted_host, self.server.handler_instance.fake_pasv_server_ip) diff --git a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst index c481dd65d0483d..8312b7e885441d 100644 --- a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst +++ b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst @@ -2,3 +2,7 @@ in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network. + +Code that requires the former vulnerable behavior may set a +``trust_server_pasv_ipv4_address`` attribute on their +:class:`ftplib.FTP` instances to ``True`` to re-enable it.