We've been looking into sporadic problems one of the users of the FTP server is having, and have run into a scenario with passive ports that has us asking more questions than answers.
First of all - we see the algorithm for PassivePorts is that it creates an ordered list of ports and attempts to allocate the lowest available port. It does seem that there is a check to make sure a free port is actually available, but we're wondering if the port could be held open by a firewall or client even tho the server thinks its closed. (We will be the first to admit that we're grasping at straws here, but it would explain some of what we've seen). In researching this, however, we're VERY concerned by the algorithm used. Any algorithm that offers predictably guessable unsecured open ports seems like a major security issue - does Apache FTP mitigate this by ensuring that the same client address is used to connect to both the control and data ports? Most servers that implement linear allocation seem to always use "next available" instead of "lowest available" ports. A few even use "randomly available", which seems like it would be a lot more secure. Is there a reason either of these were not used? Finally, we noticed that PassivePorts.reserveNextPort() is not synchronized. Why was this? We do note that it is called from two locations, both synchronized methods, although it seems like there is still a high possibility for a race condition here although we didn't dig closely into the methods in question. We are tempted to rewrite the PassivePorts class to address these problems. Before we do - is anyone else looking into these issues or have other concerns along this front? Allen
