Niklas Gustavsson wrote:
Hey
Mozilla has recently made a fix to their FTP client that ignores the
provided IP address in the PASV command. I'm a bit curious if this is
anything that would affect us as well (probably in the case of the PORT
command) and would like your feedback.
More info on the Mozilla bug over here:
http://www.mozilla.org/security/announce/2007/mfsa2007-11.html
I should probably also point out that we already cam do one check and
that is that the data socket address has to be the same as the client
address. This check is by default disabled, but can be activated using:
config.listeners.<listener name>.data-connection.active.ip-check=true
Should we maybe activate this check by default?
/niklas
