Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The idle timeout of passive data connections shouldn't be stopped in case of rejected "site-to-site" connections #78

Closed
giampaolo opened this issue May 28, 2014 · 6 comments
Closed

The idle timeout of passive data connections shouldn't be stopped in case of rejected "site-to-site" connections #78

giampaolo opened this issue May 28, 2014 · 6 comments
Assignees
@giampaolo
Labels
bug Component-Library imported imported from old googlecode site and very likely outdated Security

Comments

@giampaolo
Copy link
Owner

From billiej...@gmail.com on October 01, 2008 16:07:21

What steps will reproduce the problem?  
1. Set up a ftp server with the FTPHandler.permit_foreign_address attribute
set to False (default).
2. Connect with a client and send a PASV or EPSV command.
3. Use another client having a different address to establish the
connection with the passive listening socket (site-to-site transfer). 

What is the expected output?  


What do you see instead?  
The FTP site-to-site transfer feature, also referenced as "FXP", permits
for transferring a file between two remote FTP servers without the transfer
going through the client's host.
When the FTPHandler.permit_foreign_address attribute is set to False a data
connection from a remote IP address which does not match the client's IP
address will be dropped and the listening socket will remain open.

When such an event occurs the timer used to close the listening socket in
case the connection will not occur within 30 seconds gets stopped.
This shouldn't happen and may also represent a security issue in case a
malicious host tries to open a lot of listening data sockets by repeating
steps 2 and 3 described above.

Original issue: http://code.google.com/p/pyftpdlib/issues/detail?id=78
@giampaolo giampaolo self-assigned this May 28, 2014
@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on October 01, 2008 07:10:51

Fixed in r406 .

Status: Finished

@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on October 01, 2008 07:13:09

Summary: The idle timeout of passive data connections shouldn't be stopped in case of rejected "site-to-site" connections

@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on October 13, 2008 12:13:13

Labels: Component-Library

@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on November 20, 2008 12:56:32

Labels: Milestone-0.5.1

@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on January 21, 2009 10:05:51

Fixed in version 0.5.1 released on 2009-01-21.

Status: Fixed

@giampaolo
Copy link
Owner Author

From g.rodola on August 11, 2010 15:20:02

Owner: g.rodola

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@giampaolo giampaolo

Labels
bug Component-Library imported imported from old googlecode site and very likely outdated Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@giampaolo