Description
The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Problem types
CWE-918 Server-Side request forgery (SSRF)
Product status
Any version before 3.13.14
3.14.0 (python) before 3.14.6
3.15.0a1 (python) before 3.15.0b2
Credits
Qi Deng (https://github.com/ikow)
Bénédikt Tran (https://github.com/picnixz)
Gregory P. Smith (https://github.com/gpshead)
References
github.com/python/cpython/issues/87451
github.com/python/cpython/pull/149648
mail.python.org/.../thread/ITF2BAPBQEPYK3LDMPRSY435JGNHYNDP/
github.com/...ommit/5dadc64673ce875ebfb24163907777dae0f6ca06
github.com/...ommit/7d95a1dc7382b55cba7fdd6a110336077584a4f0
github.com/...ommit/bb3446dda6c49b32e67c11dbbbf221b40be00763
github.com/...ommit/c88704431ea3248ca769384c13856330976fac1d
github.com/...ommit/eac4fe3b2c77693790a5ef7dfab127c1fee81bf9