thoughts

2019-05-30 12:00:45 -04:00 · 2019-05-30 12:00:45 -04:00 · af5246cf04
commit af5246cf04
parent b993d26dff
2 changed files with 29 additions and 0 deletions
--- a/doc/bugs/regression58_http_downloads_redirecting_to_ftp_are_no_longer_supported/comment_4_b15837921956ad166cf53a5dd23cb7dd._comment
+++ b/doc/bugs/regression58_http_downloads_redirecting_to_ftp_are_no_longer_supported/comment_4_b15837921956ad166cf53a5dd23cb7dd._comment
@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""ftp bounce attack"""
+ date="2019-05-30T15:53:26Z"
+ content="""
+In a PASV ftp connection, the server provides to the client an IP address
+and port to connect to. That is exploited by a ftp bounce attack.
+(Which I last thought about in like 1998? Why are we still using these bad
+old protocols?)
+
+So it seems git-annex can't rely on checking the ftp server IP is not
+local, because the non-local ftp server could use that to get the client to
+connect to a local ftp server. After content from that gets added to the
+git annex, we're back to CVE-2018-10857.
+
+curl defaults to PASV of course (active FTP is unlikely to work on the
+"modern" non-p2p internet). Seems curl does have a --ftp-skip-pasv-ip
+that makes it ignore whatever IP address the FTP server might present and
+just continue to use the same server IP.
+"""]]
--- a/doc/bugs/regression58_http_downloads_redirecting_to_ftp_are_no_longer_supported/comment_5_2a66b890e3c60d1102acb7cef0b86308._comment
+++ b/doc/bugs/regression58_http_downloads_redirecting_to_ftp_are_no_longer_supported/comment_5_2a66b890e3c60d1102acb7cef0b86308._comment
@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 5"""
+ date="2019-05-30T15:59:57Z"
+ content="""
+Yet another problem: A ftp server might have both IPv4 and IPv6 addresses,
+and only one might work, so it seems git-annex will need to run curl more
+than once.
+"""]]