You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by John Wojtowicz <wo...@TrustedCS.com> on 2004/05/28 17:10:55 UTC

FTP proxy broken for non-anonymous ftp in apache 1.3

Folks,

I think a recent fix for proxypass with ftp broke non-anonymous proxying of
FTP, in
the Apache 1.3 proxy module.  

That fix for proxypass, took out the use of the parsed uri data in the
request structure, 
and instead opted to parse out the FTP request explicitly.  This is fine,
but the patch in question didn't account for the case where an ftp request
might be of the form ftp://user@ftp.site.org

It also seems to hardcode the ftp sites port to 21 which is probably
acceptable, 
for most people, and doesn't pull the port from the URI.

I have a patch fix that uses adds parsing for the username and the port
number
from the request.  This patch has been tested with mozilla and works fine,
but I.E. doesn't work for some reason.  Did authenticated FTP proxying ever
work with mod_proxy and Internet Explorer?

If there is interest in this patch I will post it to the mailing list.

A colleague and I have also uncovered what appears to be a couple problems
with the proxy cache code in 1.3.   One appears to be with the
ap_proxy_liststr 
function.  The other appears to be in the revalidation code and concerns
whether
or not a cache file needs to be updated if ONLY the Date header has changed,
and nothing else.

John Wojtowicz 

Senior Secure Systems Engineer

Trusted Computer Solutions
2350 Corporate Park Drive
Suite 500
Herndon, VA  20171

P: 703-318-7134
F: 703-318-5041

Re: FTP proxy broken for non-anonymous ftp in IE

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 10:10 AM 5/28/2004, John Wojtowicz wrote:
>[...] the patch in question didn't account for the case where an ftp request
>might be of the form ftp://user@ftp.site.org
>
>It also seems to hardcode the ftp sites port to 21 which is probably
>acceptable,  for most people, and doesn't pull the port from the URI.
>
>I have a patch fix that uses adds parsing for the username and the port
>number from the request.  This patch has been tested with mozilla and 
>works fine, but I.E. doesn't work for some reason.  Did authenticated 
>FTP proxying ever work with mod_proxy and Internet Explorer?

Microsoft, in it's all seeing all knowing benevolence, broke from RFC2616
and no longer allows proto:user@password mechanics in IE (at least,
in HTTP.)  This was done for the users of the world assaulted daily by
http://ebay.example.com@reallynastyhackers.example.net/ URL's.
Although many of us think this is a *presentation* problem, they decided
that it is a vulnerability and crippled the feature.

Your patch sounds great, and it quite possibly did work in the past,
but we don't expect to see this work from IE anymore, at least, not
when it uses http proxy.

Bill