> On Monday 10 August 2015 16:37:35 [email protected] wrote: >> In the past it could be possible for a site over http connection to >> redirect wget to FPT using FTP PORT command so the site gets the real IP >> of the computer even when wget proxy command is in use I believe: >> https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html >> >> Is that code still present in wget v1.16.3? It was present in v1.13.4. > > By default Wget is using passive FTP. This avoids PORT (resp. EPRT and > LPRT). > > But your system administrator could change the default behavior via > /etc/wgetrc and/or you could change it in ~/.wgetrc. > > You can prove Wget's behavior with the -d command line option. > E.g. 'wget -d ftp://ftp.example.com/xyz' (fill a real FTP server here) > A PORT command would be printed to the screen. > > *BUT* if the server reject the PASV command, Wget automatically falls back > to > PORT. This is a security thread to people who try to stay anonymous, the > real > client's IP will be shown to the FTP server. > I guess this is the what you are talking about !?
Yes I believe. The way I understood the issue is if I used wget to download a file from a website like '$wget --proxy --execute=http_proxy=http://127.0.0.1:8118/ -c http://somesite.com/somefile.txt' the site could send FTP PORT command to redirect wget to ftp protocol, and then get the computer's IP even though I used the http proxy option. > > Anyways, this behavior has to be changed. > > Thanks for throwing this up. > > Tim No problem, you're welcome and thanks for the fast fix, this will make many people happy!
