From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 5 Feb 2024 18:30:48 +0000 (+0100)
Subject: libcurl-security.md: Active FTP passes on the local IP address
X-Git-Tag: curl-8_7_0~223
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bf411ccd0d5ccc01c647be612cac31c58227549a;p=thirdparty%2Fcurl.git

libcurl-security.md: Active FTP passes on the local IP address

Reported-by: Harry Sintonen
Closes #12867
---

diff --git a/docs/libcurl/libcurl-security.md b/docs/libcurl/libcurl-security.md
index 09d63f4a86..019080d263 100644
--- a/docs/libcurl/libcurl-security.md
+++ b/docs/libcurl/libcurl-security.md
@@ -363,6 +363,12 @@ instead of back to curl.
 The fact that FTP uses two connections makes it vulnerable in a way that is
 hard to avoid.
 
+# Active FTP passes on the local IP address
+
+If you use curl/libcurl to do *active* FTP transfers, curl will pass on the
+address of your local IP to the remote server - even when for example using a
+SOCKS or HTTP proxy in between curl and the target server.
+
 # Denial of Service
 
 A malicious server could cause libcurl to effectively hang by sending data