On Tue, Apr 25, 2017 at 12:27 -0600, Theo de Raadt wrote: > > > Notice how 530 and 500 were both returned for the TYPE command > > > that is not valid in this context. Now with the proposed fix: > > > > > > kemushi:~% telnet localhost 21 > > > Trying 127.0.0.1... > > > Connected to localhost. > > > Escape character is '^]'. > > > 220 kemushi.esdenera.com FTP server ready. > > > USER anonymous > > > 331 Guest login ok, send your email address as password. > > > TYPE > > > 530 Please login with USER and PASS. > > > PASS me > > > 230 Guest login ok, access restrictions apply. > > > QUIT > > > 221 Goodbye. > > > Connection closed by foreign host. > > > > Specification says there can be no command between USER and PASS. > >
This is fine. The question is about returning two errors instead of one. Returning one error (e.g. "530 Please login with USER and PASS.") is OK. > > https://www.ietf.org/rfc/rfc959.txt > > > > PASSWORD (PASS) > > > > The argument field is a Telnet string specifying the user's > > password. This command must be immediately preceded by the > > user name command, and, for some sites, completes the user's > > identification for access control. Since password > > information is quite sensitive, it is desirable in general > > to "mask" it or suppress typeout. It appears that the > > server has no foolproof way to achieve this. It is > > therefore the responsibility of the user-FTP process to hide > > the sensitive password information. > > > > So I'm going to suggest the (unspecified) clients are in violation > of the RFC. > Possibly, but you can successfully insert the NOOP or HELP commands in between in our implementation. The question is about two errors with different error codes. > I was immediately suspicious when I saw the code hadn't changed since -r1.1
