From bf411ccd0d5ccc01c647be612cac31c58227549a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 5 Feb 2024 19:30:48 +0100
Subject: [PATCH] libcurl-security.md: Active FTP passes on the local IP
 address

Reported-by: Harry Sintonen
Closes #12867
---
 docs/libcurl/libcurl-security.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/libcurl/libcurl-security.md b/docs/libcurl/libcurl-security.md
index 09d63f4a86..019080d263 100644
--- a/docs/libcurl/libcurl-security.md
+++ b/docs/libcurl/libcurl-security.md
@@ -363,6 +363,12 @@ instead of back to curl.
 The fact that FTP uses two connections makes it vulnerable in a way that is
 hard to avoid.
 
+# Active FTP passes on the local IP address
+
+If you use curl/libcurl to do *active* FTP transfers, curl will pass on the
+address of your local IP to the remote server - even when for example using a
+SOCKS or HTTP proxy in between curl and the target server.
+
 # Denial of Service
 
 A malicious server could cause libcurl to effectively hang by sending data
-- 
2.47.3