Bug 134133
Summary: | Proposed workaround for SSL auth in ProFTPD | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Aleksandar Milivojevic <alex> | ||||
Component: | curl | Assignee: | Eido Inoue <havill> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 2 | Keywords: | FutureFeature | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 7.12.1-1 | Doc Type: | Enhancement | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-10-06 19:58:19 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Aleksandar Milivojevic
2004-09-29 19:20:22 UTC
Created attachment 104540 [details]
Workaround for brain damaged secure FTP servers
Please explain to me why curl should be patched as opposed to ProFTD? Is this change standards compatible (ie won't break any real or theoretical fully compliant ftp server out there)? Curl should be patched in order to work with existing ProFTPD servers (even after ProFTPD is patched). There is huge installed base of ProFTPD servers out there. Also, it is not likely that ProFTPD will be patched soon, because the bug is in the design of ProFTPD's authentication module. It's not just a couple of lines of code, it needs to be revised, and possible other modules that depend on current desing of auth module. I've checked ProFTPD source and their bug tracking web page. It seems developers are aware of the problem, but there is no easy way to fix it. This workaround would enable curl to interoperate with current ProFTPD servers, until the bug in ProFTPD is fixed. The change is compatible. It should not break any real or theretically fully compliant ftp server out there becase: - Fully compliant FTP server will not require PASS command (it will return 232 as response to USER command, as defined in RFC 2228 and proposed standard described in draft-murray-auth-ftp-ssl-15.txt). Also, code 232 is not mentioned anywhere in RFC 959, so any "plain old" FTP server should never return it as response to any command. - Codes 2xx are reserved for positive completitions, so anything 2xx means server accepted the password and does not expect any further information (otherwise, it would issue 3xx if more information was needed, 4xx or 5xx in case of errors). I am not aware of any servers sending 2xx as response to PASS when they should send 3xx. Even if there are any, they wouldn't work with existing checks in curl anyhow (if I haven't missed something obvious in curl's source). I would suggest you report problems/bugs/patches in curl to the curl project first. I have now modified the PASS response code check in curl, included in the upcoming 7.12.2 release. Thanks. I'll keep that in mind for future. |