Prohibit FTP PORT destinations other than the control connection source IP.

diff --git a/src/client_side.cc b/src/client_side.cc
index 3e3059a483f8fcda18f118f7929ddfc24bcdf144..b42c50d6fecd5c40685317c1ca6075407e380829 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -5709,6 +5709,8 @@ FtpHandlePasvRequest(ClientSocketContext *context, String &cmd, String &params)
 bool
 FtpHandlePortRequest(ClientSocketContext *context, String &cmd, String &params)
 {
+    // TODO: Should PORT errors trigger FtpCloseDataConnection() cleanup?
+
     if (!params.size()) {
         FtpSetReply(context, 501, "Missing parameter");
         return false;
@@ -5720,6 +5722,20 @@ FtpHandlePortRequest(ClientSocketContext *context, String &cmd, String &params)
         return false;
     }
 
+    ConnStateData *const connState = context->getConn();
+    assert(connState);
+    assert(connState->clientConnection != NULL);
+    assert(!connState->clientConnection->remote.isAnyAddr());
+
+    if (cltAddr != connState->clientConnection->remote) {
+        debugs(33, 2, "rogue PORT " << cltAddr << " request? ctrl: " << connState->clientConnection->remote);
+        // Closing the control connection would not help with attacks because
+        // the client is evidently able to connect to us. Besides, closing
+        // makes retrials easier for the client and more damaging to us.
+        FtpSetReply(context, 501, "Prohibited parameter value");
+        return false;
+    }
+
     FtpCloseDataConnection(context->getConn());
     debugs(11, 3, "will actively connect to " << cltAddr);