[CVE-2020-8284] CURLOPT_FTP_SKIP_PASV_IP by defaultsubmit/tizen_base/20210218.080159accepted/tizen/base/tool/20210221.221015

A malicious server can use the FTP PASV response to trick curl 7.73.0
and earlier into connecting back to a given IP address and port,
and this way potentially make curl extract information about services
that are otherwise private and not disclosed,
for example doing port scanning and service banner extractions.

Change-Id: Ifb923106339f8d3e64ec171ef22ebab3ac3c6d8d
Signed-off-by: JinWang An <jinwang.an@samsung.com>

2 files changed, 2 insertions, 0 deletions

diff --git a/Utilities/cmcurl/curltest.c b/Utilities/cmcurl/curltest.c
index f80e758a0..36c7d1728 100644
--- a/Utilities/cmcurl/curltest.c
+++ b/Utilities/cmcurl/curltest.c
@@ -37,6 +37,7 @@ int test_curl(const char* url)
   }
 
   curl_easy_setopt(curl, CURLOPT_VERBOSE, 1);
+  curl_easy_setopt(curl, CURLOPT_FTP_SKIP_PASV_IP, 1L);
   curl_easy_setopt(curl, CURLOPT_HEADER, 1);
 
   if (proxy_type > 0) {
diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c
index c441ae716..b39a3ee22 100644
--- a/Utilities/cmcurl/lib/url.c
+++ b/Utilities/cmcurl/lib/url.c
@@ -444,6 +444,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
   set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
   set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
   set->ftp_filemethod = FTPFILE_MULTICWD;
+  set->ftp_skip_ip = TRUE; /* skip PASV IP by default */
 #endif
   set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */