Bug 35280 - FTP proxy breaks RFC 2428 when trying to fall back from EPSV to PASV
Summary: FTP proxy breaks RFC 2428 when trying to fall back from EPSV to PASV
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy (show other bugs)
Version: 2.0.54
Hardware: All All
: P2 normal with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: MassUpdate, PatchAvailable
Depends on:
Reported: 2005-06-09 10:03 UTC by Timo Viipuri
Modified: 2018-11-07 21:08 UTC (History)
2 users (show)

Patch to fix bug 35280 (873 bytes, patch)
2005-06-09 10:08 UTC, Timo Viipuri
Details | Diff
Updating to mod_proxy_ftp.c, includes the codes requested in comments, and is more lenient (1.04 KB, patch)
2007-08-29 11:16 UTC, rahul
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Timo Viipuri 2005-06-09 10:03:09 UTC
The logic in making passive connections through FTP proxy are correctly
implemented in Apache, i.e. first try to use EPSV -> if that fails, try PASV
-> if that fails, try PORT. However, only error codes 500 ("Syntax error,
command unrecognized"), 501 ("Syntax error in parameters or arguments") and
502 ("Command not implemented") are accepted for the decision of trying to use
PASV if EPSV fails. For all other error codes, the connection is reseted.

In RFC 2428, it is stated that if the server doesn't support EPSV it MUST return
error message 522 ("Protocol not supported"). I think Apache should be changed
so that PASV is tried when receiving message 522 as well.

Also, some firewall vendors (at least Checkpoint) seem to have adopted the
choice of returning error message 505 ("Command Blocked") if the firewall
doesn't allow EPSV to be passed. Thus, it should also be included that PASV is
tried in Apache when receiving message 505 as well.
Comment 1 Timo Viipuri 2005-06-09 10:08:16 UTC
Created attachment 15344 [details]
Patch to fix bug 35280
Comment 2 Timo Viipuri 2005-06-09 10:10:54 UTC
Added patch which makes ftp_proxy try to use PASV if message 522 ("Protocol not
supported") or 505 ("Command blocked") is received when trying to use EPSV.
Comment 3 Le Hong Boi 2006-06-02 10:11:56 UTC
Some server like download.fedora.redhat.com 
     220 Fedora FTP server ready. All transfers are logged. [no EPSV]
returns "550 Permission denied." to EPSV, and accepts PASV command.

Apache FTP proxy should fall back to PASV when receiving 550 too.
Comment 4 rahul 2007-08-29 11:16:12 UTC
Created attachment 20730 [details]
Updating to mod_proxy_ftp.c, includes the codes requested in comments, and is more lenient

Updating to the new mod_proxy_ftp.c file.
This patch checks only if the return code is a 5XX variety for EPSV as a
for falling back to PASV. This is smaller and faster than checking for multiple

int values too.
Comment 5 Christopher Head 2008-10-26 13:21:09 UTC
Some old firewalls seem not to even understand the EPSV command, but rather pass it through intact. This of course prevents the data connection from being properly established. It would be nice if either (1) a failure to establish the data connection would cause a fallback to PASV, or (2) an option were provided in the configuration to not use ESPV at all. #2 is preferable, of course, because it eliminates the delay while waiting for the data connection to time out.
Comment 6 Rainer Jung 2018-02-25 20:57:35 UTC
Undo spam change
Comment 7 William A. Rowe Jr. 2018-11-07 21:08:28 UTC
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd.

As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd.

If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question.

If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with.

Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.