Subject: Re: port-i386/4580: sysinst i386 - no shell metachars in FTP password allowed
To: Luke Mewburn <email@example.com>
From: Guenther Grau <Guenther.Grau@bk.bosch.de>
Date: 11/27/1997 10:30:47
Luke Mewburn wrote:
> Christos Zoulas writes:
> > >>Fix:
> > >
> > >.../sysinst/net.c, line 277:
> > > ret = run_prog("/usr/bin/ftp ftp://%s:%s@%s/%s/%s",
> > > ftp_user, ftp_pass, ftp_host, ftp_dir
> > ,
> > > filename);
> > >
> > >Should be obvious what's going on here - enclosing the URL in
> > >single quote should fix the problem. Also in the ftp-call a
> > >few lines above.
> > This is not correct; consider if your passwd contains a single quote.
> > A more correct solution should:
> > - escape all shell metacharacters by prepending a backslash to them.
> > - probably the ftp url parser should be modified to accept escaped
> > characters too. (Consider what happens if your passwd has a : or /)
> I'm not sure if it's `legal' to escape characters in an ftp url (i've
> considered this problem before; part of the issue is that the url
> can be of the form:
> (i.e, optional bits at either end of the string)
> i'll investigate to find the ``correct'' way to escape characters in
> urls, and get around to implementing it in ftp(1). i don't know if/how
> any other url using products (i.e, browsers) cope with ':', '@', or
> '/' in passwords...
just a few words on this. I live behind a firewall, but I can WWW through
a chain of proxies. Some anonymous ftp-server demand a @ in the
email-address you provide as a password. This caused a lot of problems,
because @ is a special character in http. The solution was
%25 is interpreted as "%" by the first proxy
%25 is intepreted by the second proxy leaving
and the third proxy converts this to
which finally makes it to the ftp-server. If I understand this properly, then
the amount of quoting needed depends on the number of proxies on the
way to the final server.
This is just a data point that should be taken into account when dealing with