diff options
Diffstat (limited to 'Misc/NEWS.d/next/Security')
| -rw-r--r-- | Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst new file mode 100644 index 0000000..8312b7e --- /dev/null +++ b/Misc/NEWS.d/next/Security/2021-03-13-03-48-14.bpo-43285.g-Hah3.rst @@ -0,0 +1,8 @@ +:mod:`ftplib` no longer trusts the IP address value returned from the server +in response to the PASV command by default. This prevents a malicious FTP +server from using the response to probe IPv4 address and port combinations +on the client network. + +Code that requires the former vulnerable behavior may set a +``trust_server_pasv_ipv4_address`` attribute on their +:class:`ftplib.FTP` instances to ``True`` to re-enable it. |