[ https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sai Pullabhotla resolved FTPSERVER-323. --------------------------------------- Resolution: Fixed > Add a new configuration option for enabling/disabling IP check when accepting > passive data connections > ------------------------------------------------------------------------------------------------------ > > Key: FTPSERVER-323 > URL: https://issues.apache.org/jira/browse/FTPSERVER-323 > Project: FtpServer > Issue Type: New Feature > Components: Core > Affects Versions: 1.0.2 > Reporter: Sai Pullabhotla > Fix For: 1.1.0 > > Attachments: FTPSERVER-323.patch > > > In the current version it is possible for a hacker to connect to any passive > port that is currently waiting for a connection and read/write data off that > connection. We should implement a check in place to make sure the IP address > of the remote host is same as the one we are expecting, if not, close the > data connection right way. After closing the data connection we can do one of > the following: > 1. Wait for incoming connection again so the original client can connect > 2. just quit and send a reply back to the client that the data connection is > closed. We need to figure out what reply we want to send in this case. > What do you guys think we should do? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.