W3C home > Mailing lists > Public > www-lib@w3.org > July to September 2000

FTP bug, again

From: Peter Stamfest <peter.stamfest@eunet.at>
Date: Tue, 22 Aug 2000 11:07:22 +0200 (CEST)
To: www-lib@w3.org
Message-ID: <Pine.LNX.4.21.0008221056560.1247-100000@peter.stamf.pr.at>


Hello everybody, 

I still have to tackle the same problem: FTP connects may reuse channels
with wrong user credentials:

Given two URLs:

   ftp://user1:passwd1@host.somewhere.net/home/user1/first_file
and
   ftp://user2:passwd2@host.somewhere.net/home/user2/another_file

handed to libwww for download within the time connections are kept to be
reused (persitant connections), the second request may use the user ID of
the first request. The FTP client code tries to use the REIN
command to change the user on the FTP server, but there are FTP servers
that do not understand that command (most notably wu-ftpd).

libwww erroneously uses the channel nevertheless. This has severe security
implications when libwww is used in a server style applications (say, for
example, a FTP proxy), where different users can pass urls to the libwww
engine.

In the above example, the second request may fail due to access violations
(user1 is not allowed to access /home/user2), even though the URL is
correct.

What should I (we?) do about this? The simplest thing to do would be to
not reuse FTP connections at all, but then persistant connections become
totally useless for FTP.

Another solution would be to associate user credentials (or other protocol
dependent data) with a channel, and to only use a channel if the protocol
specific information is compatible with the request to be carried out
across the channel.

Am I the only one to have this problem? 

peter

-- 
Peter Stamfest                    UNIX, Networking & Computing Consultant
Tel: +43/699/20711205             Software Development
E-Mail: ps@psncc.at               
        peter.stamfest@eunet.at 
Received on Tuesday, 22 August 2000 05:09:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 23 April 2007 18:18:37 GMT