python2/00372-CVE-2021-4189.patch

diff --git a/Lib/ftplib.py b/Lib/ftplib.py
index 6644554..0550f0a 100644
--- a/Lib/ftplib.py
+++ b/Lib/ftplib.py
@@ -108,6 +108,8 @@ class FTP:
     file = None
     welcome = None
     passiveserver = 1
+    # Disables https://bugs.python.org/issue43285 security if set to True.
+    trust_server_pasv_ipv4_address = False
 
     # Initialization method (called by class instantiation).
     # Initialize host to localhost, port to standard ftp port
@@ -310,8 +312,13 @@ class FTP:
         return sock
 
     def makepasv(self):
+        """Internal: Does the PASV or EPSV handshake -> (address, port)"""
         if self.af == socket.AF_INET:
-            host, port = parse227(self.sendcmd('PASV'))
+            untrusted_host, port = parse227(self.sendcmd('PASV'))
+            if self.trust_server_pasv_ipv4_address:
+                host = untrusted_host
+            else:
+                host = self.sock.getpeername()[0]
         else:
             host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())
         return host, port
diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
index 8a3eb06..62a3f5e 100644
--- a/Lib/test/test_ftplib.py
+++ b/Lib/test/test_ftplib.py
@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_chat):
         self.rest = None
         self.next_retr_data = RETR_DATA
         self.push('220 welcome')
+        # We use this as the string IPv4 address to direct the client
+        # to in response to a PASV command.  To test security behavior.
+        # https://bugs.python.org/issue43285/.
+        self.fake_pasv_server_ip = '252.253.254.255'
 
     def collect_incoming_data(self, data):
         self.in_buffer.append(data)
@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_chat):
         sock.bind((self.socket.getsockname()[0], 0))
         sock.listen(5)
         sock.settimeout(10)
-        ip, port = sock.getsockname()[:2]
+        port = sock.getsockname()[1]
+        ip = self.fake_pasv_server_ip
         ip = ip.replace('.', ',')
         p1, p2 = divmod(port, 256)
         self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))
@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):
         # IPv4 is in use, just make sure send_epsv has not been used
         self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')
 
+    def test_makepasv_issue43285_security_disabled(self):
+        """Test the opt-in to the old vulnerable behavior."""
+        self.client.trust_server_pasv_ipv4_address = True
+        bad_host, port = self.client.makepasv()
+        self.assertEqual(
+                bad_host, self.server.handler_instance.fake_pasv_server_ip)
+        # Opening and closing a connection keeps the dummy server happy
+        # instead of timing out on accept.
+        socket.create_connection((self.client.sock.getpeername()[0], port),
+                                 timeout=TIMEOUT).close()
+
+    def test_makepasv_issue43285_security_enabled_default(self):
+        self.assertFalse(self.client.trust_server_pasv_ipv4_address)
+        trusted_host, port = self.client.makepasv()
+        self.assertNotEqual(
+                trusted_host, self.server.handler_instance.fake_pasv_server_ip)
+        # Opening and closing a connection keeps the dummy server happy
+        # instead of timing out on accept.
+        socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()
+
     def test_line_too_long(self):
         self.assertRaises(ftplib.Error, self.client.sendcmd,
                           'x' * self.client.maxline * 2)
Import rpm: d4a05a5353d5b6b665297fbd4771399357b1359b 2022-08-08 18:00:23 +00:00			`diff --git a/Lib/ftplib.py b/Lib/ftplib.py`
			`index 6644554..0550f0a 100644`
			`--- a/Lib/ftplib.py`
			`+++ b/Lib/ftplib.py`
			`@@ -108,6 +108,8 @@ class FTP:`
			`file = None`
			`welcome = None`
			`passiveserver = 1`
			`+ # Disables https://bugs.python.org/issue43285 security if set to True.`
			`+ trust_server_pasv_ipv4_address = False`

			`# Initialization method (called by class instantiation).`
			`# Initialize host to localhost, port to standard ftp port`
			`@@ -310,8 +312,13 @@ class FTP:`
			`return sock`

			`def makepasv(self):`
			`+ """Internal: Does the PASV or EPSV handshake -> (address, port)"""`
			`if self.af == socket.AF_INET:`
			`- host, port = parse227(self.sendcmd('PASV'))`
			`+ untrusted_host, port = parse227(self.sendcmd('PASV'))`
			`+ if self.trust_server_pasv_ipv4_address:`
			`+ host = untrusted_host`
			`+ else:`
			`+ host = self.sock.getpeername()[0]`
			`else:`
			`host, port = parse229(self.sendcmd('EPSV'), self.sock.getpeername())`
			`return host, port`
			`diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py`
			`index 8a3eb06..62a3f5e 100644`
			`--- a/Lib/test/test_ftplib.py`
			`+++ b/Lib/test/test_ftplib.py`
			`@@ -67,6 +67,10 @@ class DummyFTPHandler(asynchat.async_chat):`
			`self.rest = None`
			`self.next_retr_data = RETR_DATA`
			`self.push('220 welcome')`
			`+ # We use this as the string IPv4 address to direct the client`
			`+ # to in response to a PASV command. To test security behavior.`
			`+ # https://bugs.python.org/issue43285/.`
			`+ self.fake_pasv_server_ip = '252.253.254.255'`

			`def collect_incoming_data(self, data):`
			`self.in_buffer.append(data)`
			`@@ -109,7 +113,8 @@ class DummyFTPHandler(asynchat.async_chat):`
			`sock.bind((self.socket.getsockname()[0], 0))`
			`sock.listen(5)`
			`sock.settimeout(10)`
			`- ip, port = sock.getsockname()[:2]`
			`+ port = sock.getsockname()[1]`
			`+ ip = self.fake_pasv_server_ip`
			`ip = ip.replace('.', ',')`
			`p1, p2 = divmod(port, 256)`
			`self.push('227 entering passive mode (%s,%d,%d)' %(ip, p1, p2))`
			`@@ -577,6 +582,26 @@ class TestFTPClass(TestCase):`
			`# IPv4 is in use, just make sure send_epsv has not been used`
			`self.assertEqual(self.server.handler_instance.last_received_cmd, 'pasv')`

			`+ def test_makepasv_issue43285_security_disabled(self):`
			`+ """Test the opt-in to the old vulnerable behavior."""`
			`+ self.client.trust_server_pasv_ipv4_address = True`
			`+ bad_host, port = self.client.makepasv()`
			`+ self.assertEqual(`
			`+ bad_host, self.server.handler_instance.fake_pasv_server_ip)`
			`+ # Opening and closing a connection keeps the dummy server happy`
			`+ # instead of timing out on accept.`
			`+ socket.create_connection((self.client.sock.getpeername()[0], port),`
			`+ timeout=TIMEOUT).close()`
			`+`
			`+ def test_makepasv_issue43285_security_enabled_default(self):`
			`+ self.assertFalse(self.client.trust_server_pasv_ipv4_address)`
			`+ trusted_host, port = self.client.makepasv()`
			`+ self.assertNotEqual(`
			`+ trusted_host, self.server.handler_instance.fake_pasv_server_ip)`
			`+ # Opening and closing a connection keeps the dummy server happy`
			`+ # instead of timing out on accept.`
			`+ socket.create_connection((trusted_host, port), timeout=TIMEOUT).close()`
			`+`
			`def test_line_too_long(self):`
			`self.assertRaises(ftplib.Error, self.client.sendcmd,`
			`'x' * self.client.maxline * 2)`