FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 01-05-2009, 08:45 PM
Chris Lumens
 
Default 477536 - don't assume PASS follows USER

According to the FTP RFC, the USER command does not need to be followed
by a PASS command. It's possible to disable password prompting for
anonymous users, as the bug report indicates. Assuming I am reading all
this FTP command handling code right, the attached patch should bypass
sending a PASS command and waiting for a response if the server gave us
a response of 230 for USER. I'd appreciate someone else checking this
out as well.

- Chris


diff --git a/loader/ftp.c b/loader/ftp.c
index aa7a95b..8f8a585 100644
--- a/loader/ftp.c
+++ b/loader/ftp.c
@@ -74,7 +74,6 @@ extern int h_errno;
#include "net.h"

static int ftpCheckResponse(int sock, char ** str);
-static int ftpCommand(int sock, char * command, ...);
static int getHostAddress(const char * host, void * address, int family);

static int ftpCheckResponse(int sock, char ** str) {
@@ -167,7 +166,7 @@ static int ftpCheckResponse(int sock, char ** str) {
return 0;
}

-int ftpCommand(int sock, char * command, ...) {
+static int ftpCommand(int sock, char **response, char * command, ...) {
va_list ap;
int len;
char * s;
@@ -204,7 +203,7 @@ int ftpCommand(int sock, char * command, ...) {
return FTPERR_SERVER_IO_ERROR;
}

- if ((rc = ftpCheckResponse(sock, NULL)))
+ if ((rc = ftpCheckResponse(sock, response)))
return rc;

return 0;
@@ -261,6 +260,7 @@ int ftpOpen(char *host, int family, char *name, char *password,
struct sockaddr_in6 destPort6;
struct passwd * pw;
int rc = 0;
+ char *userReply;

if (port < 0) port = IPPORT_FTP;

@@ -322,17 +322,22 @@ int ftpOpen(char *host, int family, char *name, char *password,
return rc;
}

- if ((rc = ftpCommand(sock, "USER", name, NULL))) {
+ if ((rc = ftpCommand(sock, &userReply, "USER", name, NULL))) {
close(sock);
return rc;
}

- if ((rc = ftpCommand(sock, "PASS", password, NULL))) {
- close(sock);
- return rc;
+ /* FTP does not require that USER be followed by PASS. Anonymous logins
+ * in particular do not need any password.
+ */
+ if (!strncmp(userReply, "230", 3)) {
+ if ((rc = ftpCommand(sock, NULL, "PASS", password, NULL))) {
+ close(sock);
+ return rc;
+ }
}

- if ((rc = ftpCommand(sock, "TYPE", "I", NULL))) {
+ if ((rc = ftpCommand(sock, NULL, "TYPE", "I", NULL))) {
close(sock);
return rc;
}

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 
Old 01-06-2009, 07:13 AM
Hans de Goede
 
Default 477536 - don't assume PASS follows USER

Chris Lumens wrote:

According to the FTP RFC, the USER command does not need to be followed
by a PASS command. It's possible to disable password prompting for
anonymous users, as the bug report indicates. Assuming I am reading all
this FTP command handling code right, the attached patch should bypass
sending a PASS command and waiting for a response if the server gave us
a response of 230 for USER. I'd appreciate someone else checking this
out as well.



The new code looks good (not tested),

Regards,

Hans

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
 

Thread Tools




All times are GMT. The time now is 04:14 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org