[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] FTP PORT command code in v1.16.3?
From: |
Giuseppe Scrivano |
Subject: |
Re: [Bug-wget] FTP PORT command code in v1.16.3? |
Date: |
Tue, 11 Aug 2015 17:24:42 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Tim Ruehsen <address@hidden> writes:
> From d8d545994be399705c483ea924e71c3e6348d99d Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Tim=20R=C3=BChsen?= <address@hidden>
> Date: Tue, 11 Aug 2015 16:48:08 +0200
> Subject: [PATCH] Fix IP address exposure in FTP code
>
> * src/ftp.c (getftp): Do not use PORT when PASV fails.
> * tests/FTPServer.px: Add pasv_not_supported server flag.
> * tests/Makefile.am: Add Test-ftp-pasv-not-supported.px
> * tests/Test-ftp-pasv-not-supported.px: New test
>
> Fix IP address exposure when automatically falling back from
> passive mode to active mode (using the PORT command). A behavior that
> may be used to expose a client's privacy even when using a proxy.
> ---
> src/ftp.c | 19 +++++++-----
> tests/FTPServer.pm | 8 +++++
> tests/Makefile.am | 3 +-
> tests/Test-ftp-pasv-not-supported.px | 57
> ++++++++++++++++++++++++++++++++++++
> 4 files changed, 79 insertions(+), 8 deletions(-)
> create mode 100755 tests/Test-ftp-pasv-not-supported.px
>
> diff --git a/src/ftp.c b/src/ftp.c
> index 68f1a33..9dab99c 100644
> --- a/src/ftp.c
> +++ b/src/ftp.c
> @@ -252,7 +252,6 @@ getftp (struct url *u, wgint passed_expected_bytes, wgint
> *qtyread,
> char *respline, *tms;
> const char *user, *passwd, *tmrate;
> int cmd = con->cmd;
> - bool pasv_mode_open = false;
> wgint expected_bytes = 0;
> bool got_expected_bytes = false;
> bool rest_failed = false;
> @@ -883,13 +882,19 @@ Error in server response, closing control
> connection.\n"));
> ? CONERROR : CONIMPOSSIBLE);
> }
>
> - pasv_mode_open = true; /* Flag to avoid accept port */
> if (!opt.server_response)
> logputs (LOG_VERBOSE, _("done. "));
> - } /* err==FTP_OK */
> - }
> + }
> + else
> + return err;
>
> - if (!pasv_mode_open) /* Try to use a port command if PASV failed */
> + /*
> + * We do not want to fall back from PASSIVE mode to ACTIVE mode !
> + * The reason is the PORT command exposes the client's real IP
> address
> + * to the server. Bad for someone who relies on privacy via a ftp
> proxy.
> + */
> + }
> + else
> {
> err = ftp_do_port (csock, &local_sock);
> /* FTPRERR, WRITEFAILED, bindport (FTPSYSERR), HOSTERR,
> @@ -1148,8 +1153,8 @@ Error in server response, closing control
> connection.\n"));
> }
>
> /* If no transmission was required, then everything is OK. */
> - if (!pasv_mode_open) /* we are not using pasive mode so we need
> - to accept */
> + if (!opt.ftp_pasv) /* we are not using passive mode so we need
> + to accept */
> {
> /* Wait for the server to connect to the address we're waiting
> at. */
ACK from me. Could you please also update NEWS? It looks like some
important change we want to inform people about :)
Regards,
Giuseppe