- From: Peter Stamfest <peter.stamfest@eunet.at>
- Date: Tue, 22 Aug 2000 11:07:22 +0200 (CEST)
- To: www-lib@w3.org
Hello everybody, I still have to tackle the same problem: FTP connects may reuse channels with wrong user credentials: Given two URLs: ftp://user1:passwd1@host.somewhere.net/home/user1/first_file and ftp://user2:passwd2@host.somewhere.net/home/user2/another_file handed to libwww for download within the time connections are kept to be reused (persitant connections), the second request may use the user ID of the first request. The FTP client code tries to use the REIN command to change the user on the FTP server, but there are FTP servers that do not understand that command (most notably wu-ftpd). libwww erroneously uses the channel nevertheless. This has severe security implications when libwww is used in a server style applications (say, for example, a FTP proxy), where different users can pass urls to the libwww engine. In the above example, the second request may fail due to access violations (user1 is not allowed to access /home/user2), even though the URL is correct. What should I (we?) do about this? The simplest thing to do would be to not reuse FTP connections at all, but then persistant connections become totally useless for FTP. Another solution would be to associate user credentials (or other protocol dependent data) with a channel, and to only use a channel if the protocol specific information is compatible with the request to be carried out across the channel. Am I the only one to have this problem? peter -- Peter Stamfest UNIX, Networking & Computing Consultant Tel: +43/699/20711205 Software Development E-Mail: ps@psncc.at peter.stamfest@eunet.at
Received on Tuesday, 22 August 2000 05:09:30 UTC