cURL / Mailing Lists / curl-library / Single Mail

curl-library

Regression on FTP connections with --anyauth

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Tue, 11 Feb 2014 22:57:02 +0100

curl 7.35.0 in commit 8ae35102c (the fix for CVE-2014-0015) introduces a
serious regression in handling reuse of FTP connections. The following
example shows the problem:

curl -v --anyauth \
  ftp://ftp.snt.utwente.nl/pub/os/linux/mageia/distrib/4/i586/VERSION \
  ftp://ftp.snt.utwente.nl/pub/os/linux/mageia/distrib/4/i586/VERSION

as does adding --anyauth to the command section in test 210 (the test hangs
because the ftp server can only handle one connection at a time).

In prior versions, libcurl would reuse the FTP control connection for the
second URL. After that commit, it opens a new control connection, leaving the
old one open as well. After downloading a few files (i.e. opening a few
connections), FTP servers will often prevent further connections from the same
IP address as DOS protection, which causes all remaining downloads to fail.

This issue was reported at https://bugs.mageia.org/show_bug.cgi?id=12608 where
it causes Mageia package downloads to fail when several are being downloaded at
once.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-02-11