RE: Are we done with draft-hoffman-ftp-uri-02.txt? from Alun Jones on 2004-10-29 (uri@w3.org from October 2004)

From: Alun Jones <alunj@microsoft.com>
Date: Fri, 29 Oct 2004 09:27:20 -0700
To: "Graham Klyne" <GK@ninebynine.org>, "Paul Hoffman / IMC" <phoffman@imc.org>, <uri@w3.org>
Message-ID: <0966E90CB313084DA7A9C55799FDEFD202FBF2A3@RED-MSG-50.redmond.corp.microsoft.com>

> -----Original Message-----
> From: uri-request@w3.org [mailto:uri-request@w3.org] On 
> Behalf Of Graham Klyne
> 
> 2.  Scheme Definition:
> [[
>     A FTP URL follows the standard syntax described in
>     draft-fielding-uri-rfc2396bis [2396bis].  If :<port> is 
> omitted, the
>     port defaults to 21.
> ]]
> That's the command channel port, right?  Does the FTP URI spec have 
> anything to say about the data channel port?  I guess not.

There are several ways of specifying the data channel port, and
doubtless more will arise.  It's probably best not to specify how the
data channel is accessed in a URL.

> 2.2  FTP url-path:
> [[
>     Historical note: Most FTP client implementations precede 
> the <cwd1>
>     with a "/" before sending the CWD command.  This is arguably in
>     conflict with RFC 1738, although the practice is quite widespread.
>     Thus, a client that is presented with the URL
>     <URL:ftp://myname@example.com/abc/def> might send the two commands
>     "CWD /abc" and "RETR def" or it might send the two 
> commands "CWD abc"
>     and "RETR def".  Server implementers should be aware of these two
>     different interpretations of the same URL.
> ]]
> 
> That looks like a potential security problem to me... 
> shouldn't FTP servers 
> avoid allowing accesses outside the indicated user's area (subtree)?

No.  If the user isn't allowed outside of his subtree, the user will not
be allowed outside of his subtree.  He will receive access errors, or
more likely, will already be prevented from going outside his subtree.
Usually this is accomplished by hiding anything outside of the home
directory, and treating all absolute path names as paths relative to the
home directory.

> I don't recall the details of how FTP works here, but is this 
> topic worth a 
> note under security considerations?

FTP usually works by logging the user in and impersonating him/her, so
that the same access permissions as would apply in a logon session will
also apply during their FTP session.

Alun.
~~~~

Received on Friday, 29 October 2004 16:28:40 UTC