Opened 7 months ago

Closed 6 months ago

#146 closed enhancement (wontfix)

Allow to trust pasv sent from server in session_factory

Reported by: ftputiluser Owned by: schwa
Priority: minor Milestone: never
Component: Library Version: 5.0.1
Keywords: pasv, security Cc:

Description

Hello,

Python recently made the ftplib not trusting the PASV response sent from the server by default : https://github.com/python/cpython/commit/79373951b3eab585d42e0f0ab83718cbe1d0ee33

This means that if we rely on the IP sent back by the server, we need to set trust_server_pasv_ipv4_address to True.

When using ftputil, it means that we have to create a subclass specifically for this, as for now the option is not available in the session_factory.

Working code : ` import ftplib

class FTPTrustPASV(ftplib.FTP_TLS):

def init(self, host, userid, password, port, debug_level: int = 0):

"""Act like ftplib.FTP's constructor but force trusting the pasv from the server.""" super().init() self.trust_server_pasv_ipv4_address = True self.connect(host, port) self.login(userid, password) self.prot_p() self.debug_level = debug_level

`

Being able to set trust_server_pasv_ipv4_address from the session_factory, without having to create a whole new subclass, would be pretty nice.

Change History (1)

comment:1 Changed 6 months ago by schwa

Keywords: pasv security added
Milestone: never
Resolution: wontfix
Status: newclosed
Version: 5.0.1

Sorry I'm replying so late. I couldn't make up my mind and postponed answering.

Since the change in ftplib is for increased security, I don't want to "encourage" setting the flag from session_factory. Of course this doesn't prevent a user from setting the flag, as your example shows. :-)

I don't think it would be an outright "bad" idea to support the flag, but I'm not convinced it should be explicitly supported either. Therefore, I'm closing the ticket as "wontfix" (since I don't want to add a "wontenhance" resolution especially for this ticket ;-) ).

Note: See TracTickets for help on using tickets.