Subject: Re: port-i386/4580: sysinst i386 - no shell metachars in FTP password allowed
To: Luke Mewburn <>
From: Guenther Grau <>
List: netbsd-bugs
Date: 11/27/1997 10:30:47
Luke Mewburn wrote:

> Christos Zoulas writes:
> > >>Fix:
> > >
> > >.../sysinst/net.c, line 277:
> > >                        ret = run_prog("/usr/bin/ftp ftp://%s:%s@%s/%s/%s",
> > >                                       ftp_user, ftp_pass, ftp_host, ftp_dir
> > ,
> > >                                       filename);
> > >
> > >Should be obvious what's going on here - enclosing the URL in
> > >single quote should fix the problem. Also in the ftp-call a
> > >few lines above.
> >
> > This is not correct; consider if your passwd contains a single quote.
> >
> > A more correct solution should:
> >       - escape all shell metacharacters by prepending a backslash to them.
> >       - probably the ftp url parser should be modified to accept escaped
> >         characters too. (Consider what happens if your passwd has a : or /)
> I'm not sure if it's `legal' to escape characters in an ftp url (i've
> considered this problem before; part of the issue is that the url
> can be of the form:
>         ftp://[user:passwd]@host[:port]/...
> (i.e, optional bits at either end of the string)
> i'll investigate to find the ``correct'' way to escape characters in
> urls, and get around to implementing it in ftp(1). i don't know if/how
> any other url using products (i.e, browsers) cope with ':', '@', or
> '/' in passwords...


just a few words on this. I live  behind a firewall, but I can WWW through
a chain of proxies. Some anonymous ftp-server demand a @ in the
email-address you provide as a password. This caused a lot of problems,
because @ is a special character in http. The solution was

%25 is interpreted as "%" by the first proxy

The remaining

%25 is intepreted by the second proxy leaving

and the third proxy converts this to

which finally makes it to the ftp-server. If I understand this properly, then
the amount of quoting needed depends on the number of proxies on the
way to the final server.

This is just a data point that should be taken into account when dealing with
quoting issues.