Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem

[Guido]

BPO	23130
Nosy	@bitdancer

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-12-30.16:10:15.525>
created_at = <Date 2014-12-30.01:56:34.004>
labels = ['type-security']
title = 'Tools/scripts/ftpmirror.py allows overwriting arbitrary files on filesystem'
updated_at = <Date 2014-12-30.16:10:15.514>
user = 'https://bugs.python.org/Guido'

bugs.python.org fields:

activity = <Date 2014-12-30.16:10:15.514>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2014-12-30.16:10:15.525>
closer = 'python-dev'
components = ['Demos and Tools']
creation = <Date 2014-12-30.01:56:34.004>
creator = 'Guido'
dependencies = []
files = []
hgrepos = []
issue_num = 23130
keywords = []
message_count = 3.0
messages = ['233189', '233209', '233212']
nosy_count = 3.0
nosy_names = ['r.david.murray', 'python-dev', 'Guido']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue23130'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6']

[Guido]

Tools/scripts/ftpmirror.py does not guard against arbitrary path constructions, and, given a connection to a malicious FTP server (or a man in the middle attack), it is possible that any file on the client's filesystem gets overwritten. Ie,. if we suppose that ftpmirror.py is run from a "base directory" /home/xxx/yyy, file creations can occur outside this base directory, such as in /tmp, /etc, /var, just to give some examples.

I've constructed a partial proof of concept FTP server that demonstrates directory and file creation outside the base directory (the directory the client script was launched from). I understand that most of the files in Tools/scripts/ are legacy applications that have long been deprecated. However, if the maintainers think these applications should be safe nonetheless, I'll be happy to construct and submit a patch that will remediate this issue.

Guido Vranken
Intelworks

[bitdancer]

I would guess that the most future-proof response to this would be to delete the script. If we do keep it, it should definitely be fixed.

[python-dev]

New changeset 8f92ab37dd3a by Benjamin Peterson in branch '2.7':
delete old ftpmirror script, which now has security bugs (closes bpo-23130)
https://hg.python.org/cpython/rev/8f92ab37dd3a

New changeset 223d0927e27d by Benjamin Peterson in branch '3.2':
delete old ftpmirror script, which now has security bugs (closes bpo-23130)
https://hg.python.org/cpython/rev/223d0927e27d

New changeset e15d93926e47 by Benjamin Peterson in branch '3.3':
merge 3.2 (bpo-23130)
https://hg.python.org/cpython/rev/e15d93926e47

New changeset 483746c32296 by Benjamin Peterson in branch '3.4':
merge 3.3 (bpo-23130)
https://hg.python.org/cpython/rev/483746c32296

New changeset 4b64d300a67a by Benjamin Peterson in branch 'default':
merge 3.4 (bpo-23130)
https://hg.python.org/cpython/rev/4b64d300a67a