[
https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747422#action_12747422
]
Sai Pullabhotla commented on FTPSERVER-323:
-------------------------------------------
Okay, the code is checked in for #323. I opened a new case for the
constructors.
Thanks.
Sai Pullabhotla
www.jMethods.com
On Tue, Aug 25, 2009 at 7:37 AM, Niklas Gustavsson
> Passive Data connections should check the remote IP address before starting
> the data transfer
> ---------------------------------------------------------------------------------------------
>
> Key: FTPSERVER-323
> URL: https://issues.apache.org/jira/browse/FTPSERVER-323
> Project: FtpServer
> Issue Type: Bug
> Affects Versions: 1.0.2
> Reporter: Sai Pullabhotla
> Fix For: 1.1.0
>
> Attachments: FTPSERVER-323.patch
>
>
> In the current version it is possible for a hacker to connect to any passive
> port that is currently waiting for a connection and read/write data off that
> connection. We should implement a check in place to make sure the IP address
> of the remote host is same as the one we are expecting, if not, close the
> data connection right way. After closing the data connection we can do one of
> the following:
> 1. Wait for incoming connection again so the original client can connect
> 2. just quit and send a reply back to the client that the data connection is
> closed. We need to figure out what reply we want to send in this case.
> What do you guys think we should do?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
