| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-43285: Make ftplib not trust the PASV response.
The IPv4 address value returned from the server in response to the PASV command
should not be trusted. This prevents a malicious FTP server from using the
response to probe IPv4 address and port combinations on the client network.
Instead of using the returned address, we use the IP address we're
already connected to. This is the strategy other ftp clients adopted,
and matches the only strategy available for the modern IPv6 EPSV command
where the server response must return a port number and nothing else.
For the rare user who _wants_ this ugly behavior, set a `trust_server_pasv_ipv4_address`
attribute on your `ftplib.FTP` instance to True..
(cherry picked from commit 0ab152c6b5d95caa2dc1a30fa96e10258b5f188e)
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Read from data socket to avoid "[SSL] shutdown while in init" exception
during shutdown of the dummy server.
Signed-off-by: Christian Heimes <christian@python.org>
<!-- issue-number: [bpo-34391](https://www.bugs.python.org/issue34391) -->
https://bugs.python.org/issue34391
<!-- /issue-number -->
|
| |
|
|
|
|
|
|
|
|
|
|
| |
TLS 1.3 behaves slightly different than TLS 1.2. Session tickets and TLS
client cert auth are now handled after the initialy handshake. Tests now
either send/recv data to trigger session and client certs. Or tests
ignore ConnectionResetError / BrokenPipeError on the server side to
handle clients that force-close the socket fd.
To test TLS 1.3, OpenSSL 1.1.1-pre7-dev (git master + OpenSSL PR
https://github.com/openssl/openssl/pull/6340) is required.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* bpo-32947: OpenSSL 1.1.1-pre1 / TLS 1.3 fixes
Misc fixes and workarounds for compatibility with OpenSSL 1.1.1-pre1 and
TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
default. Some test cases only apply to TLS 1.2. Other tests currently
fail because the threaded or async test servers stop after failure.
I'm going to address these issues when OpenSSL 1.1.1 reaches beta.
OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
1.3. The feature is enabled by default for maximum compatibility with
broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
it to verify default options.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
This test is unstable and currently prevents to make any new change
since the test always fails on Travis CI.
Skip the test to get more time to fix it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bpo-31399: Let OpenSSL verify hostname and IP
The ssl module now uses OpenSSL's X509_VERIFY_PARAM_set1_host() and
X509_VERIFY_PARAM_set1_ip() API to verify hostname and IP addresses.
* Remove match_hostname calls
* Check for libssl with set1_host, libssl must provide X509_VERIFY_PARAM_set1_host()
* Add documentation for OpenSSL 1.0.2 requirement
* Don't support OpenSSL special mode with a leading dot, e.g. ".example.org" matches "www.example.org". It's not standard conform.
* Add hostname_checks_common_name
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
|
|
|
| |
Replaces PROTOCOL_TLSv* and PROTOCOL_SSLv23 with PROTOCOL_TLS_CLIENT and
PROTOCOL_TLS_SERVER.
Signed-off-by: Christian Heimes <christian@python.org>
|
| |
|
| |
Clear also self.server_thread attribute in TestTimeouts.tearDown().
|
| |
|
|
| |
Explicitly clear the server attribute in test_ftplib and test_poplib
to prevent dangling thread.
|
| |
|
|
|
|
| |
* Remove Setup.config
* Always define WITH_THREAD for compatibility.
|
| |
|
|
| |
(#1214)
|
| |
|
|
|
|
|
|
|
|
| |
Always clear asyncore socket map using
asyncore.close_all(ignore_all=True) in tearDown() method.
This change should fix this warning:
Warning -- asyncore.socket_map was modified by test_ftplib
Before: {}
After: {4: <test.test_ftplib.DummyTLS_FTPServer 127.0.0.1:0 at 0x805feccf0>}
|
| |
|
|
|
|
|
| |
The deprecation include manual creation of SSLSocket and certfile/keyfile
(or similar) in ftplib, httplib, imaplib, smtplib, poplib and urllib.
ssl.wrap_socket() is not marked as deprecated yet.
|
| | |
|
| |\ |
|
| | |
| |
| |
| | |
Patch by Kurt Roeckx.
|
| |\ \
| |/ |
|
| | |
| |
| |
| | |
Patch by Donald Stufft.
|
| | |
| |
| |
| | |
Patch by Matt Chaput.
|
| |/ |
|
| |\
| |
| |
| | |
tests.
|
| | |
| |
| |
| | |
tests.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
indication for TLS/SSL connections.
|
| | | |
|
| |\ \
| |/
| |
| |
| | |
limiting the call to readline(). Original patch by Michał
Jastrzębski and Giampaolo Rodola.
|
| | |
| |
| |
| |
| | |
limiting the call to readline(). Original patch by Michał
Jastrzębski and Giampaolo Rodola.
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| | |
possible, since "localhost" goes through a DNS lookup under recent Windows versions.
|
| | |
| |
| |
| | |
possible, since "localhost" goes through a DNS lookup under recent Windows versions.
|
| |\ \
| |/
| |
| | |
Increasing test coverage of ftplib. Patch by Muhammad Jehanzeb
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| | |
| |
| |
| | |
everywhere so that failing tests won't accidentally hang
|
| |\ \
| |/
| |
| |
| |
| | |
text file
Add an unit test to ensure that text files are rejectect (with TypeError)
|
| | |
| |
| |
| | |
Add an unit test to ensure that text files are rejectect (with TypeError)
|
| | | |
|
| | | |
|
| |\ \
| |/ |
|
| | | |
|
| |/ |
|
| |
|
|
| |
Patch from Serhiy Storchaka.
|
| |
|
|
| |
expected len and then the actual data content; this way we get a failure on len mismatch rather than content mismatch (which is very long and unreadable)
|
| |\
| |
| |
| | |
failing.
|
| | |
| |
| |
| | |
failing.
|
