bug-wget
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] FTP PORT command code in v1.16.3?


From: Giuseppe Scrivano
Subject: Re: [Bug-wget] FTP PORT command code in v1.16.3?
Date: Tue, 11 Aug 2015 17:24:42 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Tim Ruehsen <address@hidden> writes:

> From d8d545994be399705c483ea924e71c3e6348d99d Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Tim=20R=C3=BChsen?= <address@hidden>
> Date: Tue, 11 Aug 2015 16:48:08 +0200
> Subject: [PATCH] Fix IP address exposure in FTP code
>
> * src/ftp.c (getftp): Do not use PORT when PASV fails.
> * tests/FTPServer.px: Add pasv_not_supported server flag.
> * tests/Makefile.am: Add Test-ftp-pasv-not-supported.px
> * tests/Test-ftp-pasv-not-supported.px: New test
>
> Fix IP address exposure when automatically falling back from
> passive mode to active mode (using the PORT command). A behavior that
> may be used to expose a client's privacy even when using a proxy.
> ---
>  src/ftp.c                            | 19 +++++++-----
>  tests/FTPServer.pm                   |  8 +++++
>  tests/Makefile.am                    |  3 +-
>  tests/Test-ftp-pasv-not-supported.px | 57 
> ++++++++++++++++++++++++++++++++++++
>  4 files changed, 79 insertions(+), 8 deletions(-)
>  create mode 100755 tests/Test-ftp-pasv-not-supported.px
>
> diff --git a/src/ftp.c b/src/ftp.c
> index 68f1a33..9dab99c 100644
> --- a/src/ftp.c
> +++ b/src/ftp.c
> @@ -252,7 +252,6 @@ getftp (struct url *u, wgint passed_expected_bytes, wgint 
> *qtyread,
>    char *respline, *tms;
>    const char *user, *passwd, *tmrate;
>    int cmd = con->cmd;
> -  bool pasv_mode_open = false;
>    wgint expected_bytes = 0;
>    bool got_expected_bytes = false;
>    bool rest_failed = false;
> @@ -883,13 +882,19 @@ Error in server response, closing control 
> connection.\n"));
>                            ? CONERROR : CONIMPOSSIBLE);
>                  }
>  
> -              pasv_mode_open = true;  /* Flag to avoid accept port */
>                if (!opt.server_response)
>                  logputs (LOG_VERBOSE, _("done.    "));
> -            } /* err==FTP_OK */
> -        }
> +            }
> +          else
> +            return err;
>  
> -      if (!pasv_mode_open)   /* Try to use a port command if PASV failed */
> +          /*
> +           * We do not want to fall back from PASSIVE mode to ACTIVE mode !
> +           * The reason is the PORT command exposes the client's real IP 
> address
> +           * to the server. Bad for someone who relies on privacy via a ftp 
> proxy.
> +           */
> +        }
> +      else
>          {
>            err = ftp_do_port (csock, &local_sock);
>            /* FTPRERR, WRITEFAILED, bindport (FTPSYSERR), HOSTERR,
> @@ -1148,8 +1153,8 @@ Error in server response, closing control 
> connection.\n"));
>      }
>  
>    /* If no transmission was required, then everything is OK.  */
> -  if (!pasv_mode_open)  /* we are not using pasive mode so we need
> -                              to accept */
> +  if (!opt.ftp_pasv)  /* we are not using passive mode so we need
> +                         to accept */
>      {
>        /* Wait for the server to connect to the address we're waiting
>           at.  */

ACK from me.  Could you please also update NEWS?  It looks like some
important change we want to inform people about :)

Regards,
Giuseppe



reply via email to

[Prev in Thread] Current Thread [Next in Thread]