mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sai Pullabhotla (JIRA)" <j...@apache.org>
Subject [jira] Updated: (FTPSERVER-323) Add a new configuration option for enabling/disabling IP check when accepting passive data connections
Date Mon, 07 Sep 2009 17:30:57 GMT

     [ https://issues.apache.org/jira/browse/FTPSERVER-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sai Pullabhotla updated FTPSERVER-323:
--------------------------------------

    Component/s: Core
     Issue Type: New Feature  (was: Bug)
        Summary: Add a new configuration option for enabling/disabling IP check when accepting
passive data connections  (was: Passive Data connections should check the remote IP address
before starting the data transfer)

Changed the title to better match the resolution we came up with. 

> Add a new configuration option for enabling/disabling IP check when accepting passive
data connections
> ------------------------------------------------------------------------------------------------------
>
>                 Key: FTPSERVER-323
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-323
>             Project: FtpServer
>          Issue Type: New Feature
>          Components: Core
>    Affects Versions: 1.0.2
>            Reporter: Sai Pullabhotla
>             Fix For: 1.1.0
>
>         Attachments: FTPSERVER-323.patch
>
>
> In the current version it is possible for a hacker to connect to any passive port that
is currently waiting for a connection and read/write data off that connection. We should implement
a check in place to make sure the IP address of the remote host is same as the one we are
expecting, if not, close the data connection right way. After closing the data connection
we can do one of the following: 
> 1. Wait for incoming connection again so the original client can connect 
> 2. just quit and send a reply back to the client that the data connection is closed.
We need to figure out what reply we want to send in this case. 
> What do you guys think we should do? 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message