romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-06-28 03:33:10 +03:00
Code Issues Projects Releases Packages Wiki Activity

libcurl-security.md: Active FTP passes on the local IP address

Browse source 
Reported-by: Harry Sintonen
Closes #12867
This commit is contained in:
Daniel Stenberg 2024-02-05 19:30:48 +01:00
parent 577182a6df
commit bf411ccd0d
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/libcurl/libcurl-security.md
View file

@ -363,6 +363,12 @@ instead of back to curl.
The fact that FTP uses two connections makes it vulnerable in a way that is
hard to avoid.
# Active FTP passes on the local IP address
If you use curl/libcurl to do *active* FTP transfers, curl will pass on the
address of your local IP to the remote server - even when for example using a
SOCKS or HTTP proxy in between curl and the target server.
# Denial of Service
A malicious server could cause libcurl to effectively hang by sending data