Details
-
Bug
-
Resolution: Done
-
P3: Somewhat important
-
None
-
5.0.0
-
None
Description
ftp://qt-test-server/qtest/rfc3252.txt works
ftp://ftptest:password@qt-test-server/qtest/rfc3252.txt does not work (although it works in browsers)
The reason is that we issue the command "CWD /qtest" which is incorrect.
RFC1738 states:
Within a name or CWD component, the characters "/" and ";" are
reserved and must be encoded. The components are decoded prior to
their use in the FTP protocol. In particular, if the appropriate FTP
sequence to access a particular file requires supplying a string
containing a "/" as an argument to a CWD or RETR command, it is
necessary to encode each "/".
For example, the URL <URL:ftp://myname@host.dom/%2Fetc/motd> is
interpreted by FTP-ing to "host.dom", logging in as "myname"
(prompting for a password if it is asked for), and then executing
"CWD /etc" and then "RETR motd". This has a different meaning from
<URL:ftp://myname@host.dom/etc/motd> which would "CWD etc" and then
"RETR motd"; the initial "CWD" might be executed relative to the
default directory for "myname". On the other hand,
<URL:ftp://myname@host.dom//etc/motd>, would "CWD " with a null
argument, then "CWD etc", and then "RETR motd".
The reason this works for anonymous access is that anonymous users are "chroot'ed" into the FTP directory, whereas authenticated users can see the whole filesystem.
The bug could affect anonymous FTP, if a server is configured such that the default path is not the ftp root directory.
