On Thursday 13 August 2015 02:47:19 [email protected] wrote: > > On Monday 10 August 2015 16:37:35 [email protected] wrote: > >> In the past it could be possible for a site over http connection to > >> redirect wget to FPT using FTP PORT command so the site gets the real IP > >> of the computer even when wget proxy command is in use I believe: > >> https://lists.torproject.org/pipermail/tor-talk/2012-April/024040.html > >> > >> Is that code still present in wget v1.16.3? It was present in v1.13.4. > > > > By default Wget is using passive FTP. This avoids PORT (resp. EPRT and > > LPRT). > > > > But your system administrator could change the default behavior via > > /etc/wgetrc and/or you could change it in ~/.wgetrc. > > > > You can prove Wget's behavior with the -d command line option. > > E.g. 'wget -d ftp://ftp.example.com/xyz' (fill a real FTP server here) > > A PORT command would be printed to the screen. > > > > *BUT* if the server reject the PASV command, Wget automatically falls back > > to > > PORT. This is a security thread to people who try to stay anonymous, the > > real > > client's IP will be shown to the FTP server. > > I guess this is the what you are talking about !? > > Yes I believe. The way I understood the issue is if I used wget to > download a file from a website like '$wget --proxy > --execute=http_proxy=http://127.0.0.1:8118/ -c > http://somesite.com/somefile.txt' the site could send FTP PORT command to > redirect wget to ftp protocol, and then get the computer's IP even though > I used the http proxy option.
Well somesite.com could redirect you to an FTP site. If the FTP site rejects the PASV command, Wget will send a PORT command including the client's IP address. This is fixed now. But to be 100% sure, you should add --passive-ftp to your command line. If you don't do that, your /etc/wgetrc or ~/.wgetrc could include --no- passive-ftp (or passiveftp = off). That switches passive FTP off and makes Wget sending a PORT command (+ IP address) to the FTP server (sometimes you need this, if the server does not support passive FTP). Tim
signature.asc
Description: This is a digitally signed message part.
