Falling back from EPSV to PASV when using FTP proxy seems to break RFC 2428

["Viipuri, Timo" <ti...@f-secure.com>]

Hi,

The logic in making passive connections through FTP proxy are correctly
implemented in Apache, i.e. first try to use EPSV -> if that fails, try PASV
-> if that fails, try PORT. However, only error codes 500 ("Syntax error,
command unrecognized"), 501 ("Syntax error in parameters or arguments") and
502 ("Command not implemented") are accepted for the decision of trying to
use PASV if EPSV fails. For all other error codes, the connection is reseted.

In RFC 2428, it is stated that if the server doesn't support EPSV it MUST
return error message 522 ("Protocol not supported"). I think Apache should be
changed so that PASV is tried when receiving message 522 as well.

Also, some firewalls (at least Checkpoint) seem to have adopted the choice of
returning error message 505 ("Command Blocked") if the firewall doesn't allow
EPSV to be passed. Thus, it should also be included that PASV is tried in
Apache when receiving message 505 as well.

The correct operation would be achieved by the following change in code:

modules/proxy/proxy_ftp.c: line 1231:
<         if (rc != 229 && rc != 500 && rc != 501 && rc != 502) {
---
>         if (rc != 229 && rc != 500 && rc != 501 && rc != 502 && rc != 505
&& rc != 522) {

What do you think?

Regards,
Timo