Re: Problem with ftp proxying

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 24 Jan 1998 10:33:59 +0100

Mike Wohlgemuth wrote:
>
> >We have users who want to retrieve software via non-anonymous FTP.
> >He can login FTP server with a password, but cannot retrieve any
> >files expect under his home directroy.

This is intentional, and according to the RFC 1738 specification. To
reach outside the home directory on a UNIX (compatible) server you have
to encode a / in the URL. http://server/%2f/some/path/file

The 1.1.X series are a bit confusing. 1.2 resolves this confusion.

> well as one where Squid drops the password from the BASE tag it returns
> to the browser. Dropping the password doesn't cause problems for
> Netscape, but it confuses Internet Explorer.

Your fix to this not the best available, since it will make the password
to show up in plain text even when the user is using authentication to
provide the password. You should avoid URLs with encoded passwords as
much as possible, and if IE does not support HTTP authentication from a
http->ftp gateway (ftp proxy) then yell at Microsoft as this is very bad
from a security perspective.

Squid is designed to use HTTP authentication for http->ftp gatewaying
(triggered by a non-anonymous FTP url without password), but does
support URL encoded passwords if you insist on using them.

If you do need to have the passwords in BASE HREF, then change "#ifdef
NEVER_INCLUDE_PASSWORD" to #ifndef... This will make the password to
show up when needed.

---
Henrik Nordström
Sparetime Squid Hacker
Received on Sat Jan 24 1998 - 01:51:31 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:38:29 MST