|
 |
1a95c1 |
From 2629f42d4cfdd04df0544007b03161e3d5d52d54 Mon Sep 17 00:00:00 2001
|
|
|
1a95c1 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
1a95c1 |
Date: Tue, 24 Nov 2020 14:56:57 +0100
|
|
|
1a95c1 |
Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
|
|
|
1a95c1 |
|
|
|
1a95c1 |
The command line tool also independently sets --ftp-skip-pasv-ip by
|
|
|
1a95c1 |
default.
|
|
|
1a95c1 |
|
|
|
1a95c1 |
Ten test cases updated to adapt the modified --libcurl output.
|
|
|
1a95c1 |
|
|
|
1a95c1 |
Bug: https://curl.se/docs/CVE-2020-8284.html
|
|
|
1a95c1 |
CVE-2020-8284
|
|
|
1a95c1 |
|
|
|
1a95c1 |
Reported-by: Varnavas Papaioannou
|
|
|
1a95c1 |
|
|
|
1a95c1 |
Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
|
|
|
1a95c1 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
1a95c1 |
---
|
|
|
1a95c1 |
docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++
|
|
|
1a95c1 |
docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
|
|
|
1a95c1 |
lib/url.c | 1 +
|
|
|
1a95c1 |
src/tool_cfgable.c | 1 +
|
|
|
1a95c1 |
tests/data/test1400 | 1 +
|
|
|
1a95c1 |
tests/data/test1401 | 1 +
|
|
|
1a95c1 |
tests/data/test1402 | 1 +
|
|
|
1a95c1 |
tests/data/test1403 | 1 +
|
|
|
1a95c1 |
tests/data/test1404 | 1 +
|
|
|
1a95c1 |
tests/data/test1405 | 1 +
|
|
|
1a95c1 |
tests/data/test1406 | 1 +
|
|
|
1a95c1 |
tests/data/test1407 | 1 +
|
|
|
1a95c1 |
tests/data/test1420 | 1 +
|
|
|
1a95c1 |
13 files changed, 18 insertions(+), 3 deletions(-)
|
|
|
1a95c1 |
|
|
|
1a95c1 |
diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
|
|
1a95c1 |
index da6ab11..4be8b43 100644
|
|
|
1a95c1 |
--- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
|
|
1a95c1 |
+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
|
|
|
1a95c1 |
@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
|
|
|
1a95c1 |
will re-use the same IP address it already uses for the control
|
|
|
1a95c1 |
connection.
|
|
|
1a95c1 |
|
|
|
1a95c1 |
+Since curl 7.74.0 this option is enabled by default.
|
|
|
1a95c1 |
+
|
|
|
1a95c1 |
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
|
|
1a95c1 |
diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
|
|
1a95c1 |
index 4d3026a..4227ed6 100644
|
|
|
1a95c1 |
--- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
|
|
1a95c1 |
+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
|
|
|
1a95c1 |
@@ -5,7 +5,7 @@
|
|
|
1a95c1 |
.\" * | (__| |_| | _ <| |___
|
|
|
1a95c1 |
.\" * \___|\___/|_| \_\_____|
|
|
|
1a95c1 |
.\" *
|
|
|
1a95c1 |
-.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
|
1a95c1 |
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
|
1a95c1 |
.\" *
|
|
|
1a95c1 |
.\" * This software is licensed as described in the file COPYING, which
|
|
|
1a95c1 |
.\" * you should have received as part of this distribution. The terms
|
|
|
1a95c1 |
@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
|
|
|
1a95c1 |
number from the 227-response.
|
|
|
1a95c1 |
|
|
|
1a95c1 |
This option thus allows libcurl to work around broken server installations
|
|
|
1a95c1 |
-that due to NATs, firewalls or incompetence report the wrong IP address back.
|
|
|
1a95c1 |
+that due to NATs, firewalls or incompetence report the wrong IP address
|
|
|
1a95c1 |
+back. Setting the option also reduces the risk for various sorts of client
|
|
|
1a95c1 |
+abuse by malicious servers.
|
|
|
1a95c1 |
|
|
|
1a95c1 |
This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
|
|
|
1a95c1 |
.SH DEFAULT
|
|
|
1a95c1 |
-0
|
|
|
1a95c1 |
+1 since 7.74.0, was 0 before then.
|
|
|
1a95c1 |
.SH PROTOCOLS
|
|
|
1a95c1 |
FTP
|
|
|
1a95c1 |
.SH EXAMPLE
|
|
|
1a95c1 |
diff --git a/lib/url.c b/lib/url.c
|
|
|
1a95c1 |
index e77f391..b18db25 100644
|
|
|
1a95c1 |
--- a/lib/url.c
|
|
|
1a95c1 |
+++ b/lib/url.c
|
|
|
1a95c1 |
@@ -434,6 +434,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
|
|
1a95c1 |
set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */
|
|
|
1a95c1 |
set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */
|
|
|
1a95c1 |
set->ftp_filemethod = FTPFILE_MULTICWD;
|
|
|
1a95c1 |
+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
|
|
|
1a95c1 |
|
|
|
1a95c1 |
set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
|
|
|
1a95c1 |
|
|
|
1a95c1 |
diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
|
|
|
1a95c1 |
index 81e16c1..110191e 100644
|
|
|
1a95c1 |
--- a/src/tool_cfgable.c
|
|
|
1a95c1 |
+++ b/src/tool_cfgable.c
|
|
|
1a95c1 |
@@ -43,6 +43,7 @@ void config_init(struct OperationConfig* config)
|
|
|
1a95c1 |
config->proto_default = NULL;
|
|
|
1a95c1 |
config->tcp_nodelay = TRUE; /* enabled by default */
|
|
|
1a95c1 |
config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
|
|
|
1a95c1 |
+ config->ftp_skip_ip = TRUE;
|
|
|
1a95c1 |
}
|
|
|
1a95c1 |
|
|
|
1a95c1 |
static void free_config_fields(struct OperationConfig *config)
|
|
|
1a95c1 |
diff --git a/tests/data/test1400 b/tests/data/test1400
|
|
|
1a95c1 |
index 10faef3..9d18a30 100644
|
|
|
1a95c1 |
--- a/tests/data/test1400
|
|
|
1a95c1 |
+++ b/tests/data/test1400
|
|
|
1a95c1 |
@@ -73,6 +73,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
|
|
|
1a95c1 |
/* Here is a list of options the curl code used that cannot get generated
|
|
|
1a95c1 |
diff --git a/tests/data/test1401 b/tests/data/test1401
|
|
|
1a95c1 |
index f330931..99cb0cb 100644
|
|
|
1a95c1 |
--- a/tests/data/test1401
|
|
|
1a95c1 |
+++ b/tests/data/test1401
|
|
|
1a95c1 |
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
|
|
|
1a95c1 |
(long)CURLPROTO_FTP |
|
|
|
1a95c1 |
diff --git a/tests/data/test1402 b/tests/data/test1402
|
|
|
1a95c1 |
index 9a94283..ef55bd6 100644
|
|
|
1a95c1 |
--- a/tests/data/test1402
|
|
|
1a95c1 |
+++ b/tests/data/test1402
|
|
|
1a95c1 |
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
|
|
|
1a95c1 |
/* Here is a list of options the curl code used that cannot get generated
|
|
|
1a95c1 |
diff --git a/tests/data/test1403 b/tests/data/test1403
|
|
|
1a95c1 |
index 79cdf49..78932c2 100644
|
|
|
1a95c1 |
--- a/tests/data/test1403
|
|
|
1a95c1 |
+++ b/tests/data/test1403
|
|
|
1a95c1 |
@@ -75,6 +75,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
|
|
|
1a95c1 |
/* Here is a list of options the curl code used that cannot get generated
|
|
|
1a95c1 |
diff --git a/tests/data/test1404 b/tests/data/test1404
|
|
|
1a95c1 |
index 9c6f2e7..8ea5e04 100644
|
|
|
1a95c1 |
--- a/tests/data/test1404
|
|
|
1a95c1 |
+++ b/tests/data/test1404
|
|
|
1a95c1 |
@@ -144,6 +144,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
|
|
|
1a95c1 |
/* Here is a list of options the curl code used that cannot get generated
|
|
|
1a95c1 |
diff --git a/tests/data/test1405 b/tests/data/test1405
|
|
|
1a95c1 |
index 73769ee..5a83b6e 100644
|
|
|
1a95c1 |
--- a/tests/data/test1405
|
|
|
1a95c1 |
+++ b/tests/data/test1405
|
|
|
1a95c1 |
@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
|
|
|
1a95c1 |
/* Here is a list of options the curl code used that cannot get generated
|
|
|
1a95c1 |
diff --git a/tests/data/test1406 b/tests/data/test1406
|
|
|
1a95c1 |
index 796dd22..c941e00 100644
|
|
|
1a95c1 |
--- a/tests/data/test1406
|
|
|
1a95c1 |
+++ b/tests/data/test1406
|
|
|
1a95c1 |
@@ -80,6 +80,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
|
|
|
1a95c1 |
diff --git a/tests/data/test1407 b/tests/data/test1407
|
|
|
1a95c1 |
index 9800eee..ddba7b7 100644
|
|
|
1a95c1 |
--- a/tests/data/test1407
|
|
|
1a95c1 |
+++ b/tests/data/test1407
|
|
|
1a95c1 |
@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
|
|
|
1a95c1 |
/* Here is a list of options the curl code used that cannot get generated
|
|
|
1a95c1 |
diff --git a/tests/data/test1420 b/tests/data/test1420
|
|
|
1a95c1 |
index a5e1c52..72fb353 100644
|
|
|
1a95c1 |
--- a/tests/data/test1420
|
|
|
1a95c1 |
+++ b/tests/data/test1420
|
|
|
1a95c1 |
@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;UID=1");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
|
|
|
1a95c1 |
+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
|
|
|
1a95c1 |
curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
|
|
|
1a95c1 |
|
|
|
1a95c1 |
/* Here is a list of options the curl code used that cannot get generated
|
|
|
1a95c1 |
--
|
|
|
1a95c1 |
2.26.2
|
|
|
1a95c1 |
|