DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=29498>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=29498 non-anonymous ftp broken in mod_proxy Summary: non-anonymous ftp broken in mod_proxy Product: Apache httpd-1.3 Version: 1.3.29 Platform: All OS/Version: All Status: NEW Severity: Major Priority: Other Component: mod_proxy AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] That fix for proxypass, took out the use of the parsed uri data in the request structure, and instead opted to parse out the FTP request explicitly. This is fine, but the patch in question didn't account for the case where an ftp request might be of the form ftp://[EMAIL PROTECTED] It also seems to hardcode the ftp sites port to 21 which is probably acceptable, for most people, and doesn't pull the port from the URI. I have a patch fix that uses adds parsing for the username and the port number from the request. This patch has been tested with mozilla and works fine, but I.E. doesn't work for some reason. Did authenticated FTP proxying ever work with mod_proxy and Internet Explorer? >From William Rowe: > Microsoft, in it's all seeing all knowing benevolence, broke from RFC2616 > and no longer allows proto:[EMAIL PROTECTED] mechanics in IE (at least, > in HTTP.) This was done for the users of the world assaulted daily by > http://[EMAIL PROTECTED]/ URL's. > Although many of us think this is a *presentation* problem, they decided > that it is a vulnerability and crippled the feature. > > Your patch sounds great, and it quite possibly did work in the past, > but we don't expect to see this work from IE anymore, at least, not > when it uses http proxy. Here's the patch that fixes everything except IE: --- proxy_ftp.c 2004-05-28 15:15:15.960934000 -0400 +++ proxy_ftp.c.new 2004-05-28 15:14:27.480934000 -0400 @@ -558,14 +558,25 @@ return HTTP_BAD_REQUEST; urlptr += 3; destport = 21; + /* strip out the username */ + if ((strp = strchr(urlptr, '@')) != NULL) + urlptr = strp + 1; strp = strchr(urlptr, '/'); if (strp == NULL) { desthost = ap_pstrdup(p, urlptr); urlptr = "/"; } else { - char *q = ap_palloc(p, strp - urlptr + 1); - memcpy(q, urlptr, strp - urlptr); + char *q, *portptr; + + if ((portptr = strstr(urlptr, ":")) != NULL) + { + q = ap_palloc(p, portptr - urlptr + 1); + destport = atoi(portptr); + } + else + q = ap_palloc(p, strp - urlptr + 1); + memcpy(q, urlptr, (portptr ? portptr : strp) - urlptr); q[strp - urlptr] = '\0'; urlptr = strp; desthost = q; --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
