[ https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sai Pullabhotla updated FTPSERVER-323: -------------------------------------- Component/s: Core Issue Type: New Feature (was: Bug) Summary: Add a new configuration option for enabling/disabling IP check when accepting passive data connections (was: Passive Data connections should check the remote IP address before starting the data transfer) Changed the title to better match the resolution we came up with. > Add a new configuration option for enabling/disabling IP check when accepting > passive data connections > ------------------------------------------------------------------------------------------------------ > > Key: FTPSERVER-323 > URL: https://issues.apache.org/jira/browse/FTPSERVER-323 > Project: FtpServer > Issue Type: New Feature > Components: Core > Affects Versions: 1.0.2 > Reporter: Sai Pullabhotla > Fix For: 1.1.0 > > Attachments: FTPSERVER-323.patch > > > In the current version it is possible for a hacker to connect to any passive > port that is currently waiting for a connection and read/write data off that > connection. We should implement a check in place to make sure the IP address > of the remote host is same as the one we are expecting, if not, close the > data connection right way. After closing the data connection we can do one of > the following: > 1. Wait for incoming connection again so the original client can connect > 2. just quit and send a reply back to the client that the data connection is > closed. We need to figure out what reply we want to send in this case. > What do you guys think we should do? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.