libcurl-security.md: Active FTP passes on the local IP address

author Daniel Stenberg <daniel@haxx.se>

Mon, 5 Feb 2024 18:30:48 +0000 (19:30 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 5 Feb 2024 23:11:39 +0000 (00:11 +0100)
author Daniel Stenberg <daniel@haxx.se>
Mon, 5 Feb 2024 18:30:48 +0000 (19:30 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 5 Feb 2024 23:11:39 +0000 (00:11 +0100)
diff --git a/docs/libcurl/libcurl-security.md b/docs/libcurl/libcurl-security.md

index 09d63f4a868b671cd3adbdc3a8042fefa58a3329..019080d263d0198e03f99225f6044069a75034a8 100644 (file)
--- a/docs/libcurl/libcurl-security.md
+++ b/docs/libcurl/libcurl-security.md
@@ -363,6 +363,12 @@ instead of back to curl.
  The fact that FTP uses two connections makes it vulnerable in a way that is
  hard to avoid.
  
+# Active FTP passes on the local IP address
+
+If you use curl/libcurl to do *active* FTP transfers, curl will pass on the
+address of your local IP to the remote server - even when for example using a
+SOCKS or HTTP proxy in between curl and the target server.
+
  # Denial of Service
  
  A malicious server could cause libcurl to effectively hang by sending data
author	Daniel Stenberg <daniel@haxx.se>
	Mon, 5 Feb 2024 18:30:48 +0000 (19:30 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 5 Feb 2024 23:11:39 +0000 (00:11 +0100)