From 2bbfb5bd8e6be73480018b4ac92befb4736c5bba Mon Sep 17 00:00:00 2001 From: JinWang An Date: Wed, 17 Feb 2021 17:09:21 +0900 Subject: [CVE-2020-8284] CURLOPT_FTP_SKIP_PASV_IP by default A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. Change-Id: Ifb923106339f8d3e64ec171ef22ebab3ac3c6d8d Signed-off-by: JinWang An --- Utilities/cmcurl/curltest.c | 1 + Utilities/cmcurl/lib/url.c | 1 + 2 files changed, 2 insertions(+) diff --git a/Utilities/cmcurl/curltest.c b/Utilities/cmcurl/curltest.c index f80e758a0..36c7d1728 100644 --- a/Utilities/cmcurl/curltest.c +++ b/Utilities/cmcurl/curltest.c @@ -37,6 +37,7 @@ int test_curl(const char* url) } curl_easy_setopt(curl, CURLOPT_VERBOSE, 1); + curl_easy_setopt(curl, CURLOPT_FTP_SKIP_PASV_IP, 1L); curl_easy_setopt(curl, CURLOPT_HEADER, 1); if (proxy_type > 0) { diff --git a/Utilities/cmcurl/lib/url.c b/Utilities/cmcurl/lib/url.c index c441ae716..b39a3ee22 100644 --- a/Utilities/cmcurl/lib/url.c +++ b/Utilities/cmcurl/lib/url.c @@ -444,6 +444,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */ set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */ set->ftp_filemethod = FTPFILE_MULTICWD; + set->ftp_skip_ip = TRUE; /* skip PASV IP by default */ #endif set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ -- cgit v1.2.3