From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Sat, 31 Aug 2013 18:34:01 +0000 (-0600)
Subject: Prohibit FTP PORT destinations other than the control connection source IP.
X-Git-Tag: SQUID_3_5_0_1~117^2~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bef03c635bef0502676482cd4b4329a26fc3eb6a;p=thirdparty%2Fsquid.git

Prohibit FTP PORT destinations other than the control connection source IP.
---

diff --git a/src/client_side.cc b/src/client_side.cc
index 3e3059a483..b42c50d6fe 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -5709,6 +5709,8 @@ FtpHandlePasvRequest(ClientSocketContext *context, String &cmd, String &params)
 bool
 FtpHandlePortRequest(ClientSocketContext *context, String &cmd, String &params)
 {
+    // TODO: Should PORT errors trigger FtpCloseDataConnection() cleanup?
+
     if (!params.size()) {
         FtpSetReply(context, 501, "Missing parameter");
         return false;
@@ -5720,6 +5722,20 @@ FtpHandlePortRequest(ClientSocketContext *context, String &cmd, String &params)
         return false;
     }
 
+    ConnStateData *const connState = context->getConn();
+    assert(connState);
+    assert(connState->clientConnection != NULL);
+    assert(!connState->clientConnection->remote.isAnyAddr());
+
+    if (cltAddr != connState->clientConnection->remote) {
+        debugs(33, 2, "rogue PORT " << cltAddr << " request? ctrl: " << connState->clientConnection->remote);
+        // Closing the control connection would not help with attacks because
+        // the client is evidently able to connect to us. Besides, closing
+        // makes retrials easier for the client and more damaging to us.
+        FtpSetReply(context, 501, "Prohibited parameter value");
+        return false;
+    }
+
     FtpCloseDataConnection(context->getConn());
     debugs(11, 3, "will actively connect to " << cltAddr);