> > Notice how 530 and 500 were both returned for the TYPE command > > that is not valid in this context. Now with the proposed fix: > > > > kemushi:~% telnet localhost 21 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > 220 kemushi.esdenera.com FTP server ready. > > USER anonymous > > 331 Guest login ok, send your email address as password. > > TYPE > > 530 Please login with USER and PASS. > > PASS me > > 230 Guest login ok, access restrictions apply. > > QUIT > > 221 Goodbye. > > Connection closed by foreign host. > > Specification says there can be no command between USER and PASS. > > https://www.ietf.org/rfc/rfc959.txt > > PASSWORD (PASS) > > The argument field is a Telnet string specifying the user's > password. This command must be immediately preceded by the > user name command, and, for some sites, completes the user's > identification for access control. Since password > information is quite sensitive, it is desirable in general > to "mask" it or suppress typeout. It appears that the > server has no foolproof way to achieve this. It is > therefore the responsibility of the user-FTP process to hide > the sensitive password information. >
So I'm going to suggest the (unspecified) clients are in violation of the RFC. I was immediately suspicious when I saw the code hadn't changed since -r1.1
