- Issue #72: pyftpdlib now provides configurable idle timeouts to disconnect client after a long time of inactivity.
- Issue #73: impose a delay before replying for invalid credentials to minimize the risk of brute force password guessing.
- Issue #74: it is now possible to define permission exceptions for certain directories (e.g. creating a user which does not have write permission except for one sub-directory in FTP root).
- Improved bandwidth throttling capabilities of demo/throttled_ftpd.py script by having used the new CallLater class which drastically reduces the number of calls to time.time().
- Issue #62: some unit tests were failing on dual core machines.
- Issue #71: socket handles are leaked when a data transfer is in progress and user QUITs.
- Issue #75: orphaned file was left behind in case STOU failed for insufficient user permissions.
- Issue #77: incorrect OOB data management on FreeBSD.
Changes applied to the 0.5.0 trunk should be fully compatible with the previous 0.4.0 version. Your existing 0.4.0 based code will most likely work without need to be modified. The new features in this release are detailed below.
The previous version suffered the problem of not having a mechanism to disconnect clients after a long time of inactivity. This posed the risk for the FTP server to be easily vulnerable to DoS attacks in which a lot of connected clients could clump system's resources and sockets.
0.5.0 version solved this problem by implementing a brand new polling loop which, other than serving the connected clients, also checks if it is the proper time for scheduled functions to be called (if any). Thanks to the new loop and the new CallLater class implementing timeouts and delays to invalid credential replies have been possible.
FTPHandler class gained a new timeout attribute defaulting to 300 seconds which is the maximum time of inactivity a remote client may spend before being disconnected.
Also DTPHandler class gained a new timeout attribute defaulting to 300 seconds which roughly is the maximum time the data transfers can stall for with no progress.
The DummyAuthorizer now gives the possibility to define permission exceptions for directories. For example, if you want to create a user which does not have write permission except for one sub-directory in FTP root, you can now do as follows:
>>> from pyftpdlib import ftpserver
>>> authorizer = ftpserver.DummyAuthorizer()
>>> authorizer.add_user('user', 'password', '/home/ftp', perm='elr')
>>> authorizer.override_perm('user', '/home/ftp/pub', 'elradfmw', recursive=True)