[
https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12850909#action_12850909
]
Sai Pullabhotla commented on FTPSERVER-323:
-------------------------------------------
Looks like this feature is not checked into the 1.0.x branch. Could some one
look into it and see if it should be in the branch?
Thanks.
> Add a new configuration option for enabling/disabling IP check when accepting
> passive data connections
> ------------------------------------------------------------------------------------------------------
>
> Key: FTPSERVER-323
> URL: https://issues.apache.org/jira/browse/FTPSERVER-323
> Project: FtpServer
> Issue Type: New Feature
> Components: Core
> Affects Versions: 1.0.2
> Reporter: Sai Pullabhotla
> Fix For: 1.1.0
>
> Attachments: FTPSERVER-323.patch
>
>
> In the current version it is possible for a hacker to connect to any passive
> port that is currently waiting for a connection and read/write data off that
> connection. We should implement a check in place to make sure the IP address
> of the remote host is same as the one we are expecting, if not, close the
> data connection right way. After closing the data connection we can do one of
> the following:
> 1. Wait for incoming connection again so the original client can connect
> 2. just quit and send a reply back to the client that the data connection is
> closed. We need to figure out what reply we want to send in this case.
> What do you guys think we should do?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
