Skip to content

gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp()#149648

Open
gpshead wants to merge 2 commits intopython:mainfrom
gpshead:gh-87451-ftplib-ftpcp
Open

gh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp()#149648
gpshead wants to merge 2 commits intopython:mainfrom
gpshead:gh-87451-ftplib-ftpcp

Conversation

@gpshead
Copy link
Copy Markdown
Member

@gpshead gpshead commented May 10, 2026
edited by bedevere-app Bot
Loading

ftpcp() called parse227() directly and passed the source server's self-reported PASV IPv4 address to the target server's PORT command, bypassing the CVE-2021-4189 fix that was applied only to FTP.makepasv(). A malicious source FTP server could use this to redirect the target server's data connection to an arbitrary host:port (SSRF).

ftpcp() now uses the source server's actual peer address, honoring the existing trust_server_pasv_ipv4_address opt-out, the same as makepasv().

Thanks to Qi Ding (AKA ikow) for the report. (GHSA-w8c5-q2xf-gf7c)

@gpshead
pythongh-87451: Apply CVE-2021-4189 PASV fix to ftplib.ftpcp()
3be7f40 
ftpcp() called parse227() directly and passed the source server's
self-reported PASV IPv4 address to the target server's PORT command,
bypassing the CVE-2021-4189 fix that was applied only to FTP.makepasv().
A malicious source FTP server could use this to redirect the target
server's data connection to an arbitrary host:port (SSRF).

ftpcp() now uses the source server's actual peer address, honoring the
existing trust_server_pasv_ipv4_address opt-out, the same as makepasv().

Thanks to Qi Ding (AKA ikow) for the report.
@gpshead gpshead requested a review from giampaolo as a code owner May 10, 2026 18:21
@bedevere-app bedevere-app Bot mentioned this pull request May 10, 2026
Closed
@gpshead gpshead added needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes type-security A security issue and removed awaiting core review labels May 10, 2026
@read-the-docs-community
Copy link
Copy Markdown

read-the-docs-community Bot commented May 10, 2026

Documentation build overview

📚 cpython-previews | 🛠️ Build #32625809 | 📁 Comparing 3be7f40 against main (a8e3247)

  🔍 Preview build  

102 files changed · ± 99 modified · - 3 deleted

± Modified

- Deleted

@gpshead gpshead self-assigned this May 10, 2026
@gpshead gpshead requested a review from picnixz May 10, 2026 20:15
picnixz
picnixz reviewed May 10, 2026
View reviewed changes
Comment thread Lib/test/test_ftplib.py
source server's actual peer address instead, the same as FTP.makepasv().
"""

class _FakeSock:
Copy link
Copy Markdown
Member

@picnixz picnixz May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need those fake classes or can't we just use Mock() objects instead? Just asking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@picnixz picnixz picnixz approved these changes

@giampaolo giampaolo Awaiting requested review from giampaolo giampaolo is a code owner

Assignees

@gpshead gpshead

Labels

awaiting merge needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes type-security A security issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gpshead @picnixz