186 */
187 public static File ftpDown(String username, String password, String ip, int port, String filepath)
188 throws Exception {
189 FTPClient ftpClient = new FTPClient();190 FileOutputStream outSteam = null;
191 File localfile = null;
192 try {
148 */
149 public static void ftpUp(String username, String password, String ip, int port, String filepath, File localfile)
150 throws Exception {
151 FTPClient ftpClient = new FTPClient();152 FileInputStream inStream = null;
153 try {
154 ftpClient.connect(ip, port);
Insecure network protocols such as HTTP or FTP which do not make use of TLS/SSL can allow Man in the Middle (MitM) attacks to occur.
Use secure protocols whenever possible.
Clear-text protocols lack both encryption and verification features, and as such can allow attackers to easily intercept and/or manipulate data sent over them.
The risks of using such protocols are numerous, including but not limited to:
Additionally, HTTP as a protocol is deprecated by all major browsers.
// These are from the Apache Commons Net library:
TelnetClient telnet = new TelnetClient();
FTPClient ftpClient = new FTPClient();
SMTPClient smtpClient = new SMTPClient();
Use SSH instead of Telnet. The JSch library is a good option to use here:
JSch jsch = new JSch();
Instead of FTP, use SFTP, SCP or FTPS. JSch supports both SFTP and SCP protocols as well as SSH.
Apache provides a client implementation for FTPS:
FTPSClient client = new FTPSClient(implicit); // the connection can be implicit or explicit.
client.connect(...);
if (!implicit && client.execTLS()) {
// ... Explicit mode.
} else {
// ... Implicit mode.
}
Note that implicit FTP is deprecated. Prefer explicit mode unless the connection is required to be implicit (here's an explanation of this).
Use Apache's SMTPSClient to make secure SMTP connections:
SMTPSClient client = new SMTPSClient(true);
client.connect(...);
if (!implicit && client.execTLS()) {
// ... Explicit mode.
} else {
// ... Implicit mode.
}
Use proper encryption when creating HTTPS connections.
This issue will not be raised if a loopback connection (to 127.0.0.1
or localhost
) is found to be made after creating the client.
Additionally, connections which are designed to operate within a private and secure environment such as a VPN may use unencrypted protocols.
While this is not ideal you may ignore this issue in such cases at your discretion.