[PATCH] 477536 - don't assume PASS follows USER

Chris Lumens <clumens@xxxxxxxxxx> · Mon, 5 Jan 2009 16:45:53 -0500

According to the FTP RFC, the USER command does not need to be followed
by a PASS command.  It's possible to disable password prompting for
anonymous users, as the bug report indicates.  Assuming I am reading all
this FTP command handling code right, the attached patch should bypass
sending a PASS command and waiting for a response if the server gave us
a response of 230 for USER.  I'd appreciate someone else checking this
out as well.

- Chris

diff --git a/loader/ftp.c b/loader/ftp.c
index aa7a95b..8f8a585 100644
--- a/loader/ftp.c
+++ b/loader/ftp.c
@@ -74,7 +74,6 @@ extern int h_errno;
 #include "net.h"
 
 static int ftpCheckResponse(int sock, char ** str);
-static int ftpCommand(int sock, char * command, ...);
 static int getHostAddress(const char * host, void * address, int family);
 
 static int ftpCheckResponse(int sock, char ** str) {
@@ -167,7 +166,7 @@ static int ftpCheckResponse(int sock, char ** str) {
     return 0;
 }
 
-int ftpCommand(int sock, char * command, ...) {
+static int ftpCommand(int sock, char **response, char * command, ...) {
     va_list ap;
     int len;
     char * s;
@@ -204,7 +203,7 @@ int ftpCommand(int sock, char * command, ...) {
         return FTPERR_SERVER_IO_ERROR;
     }
 
-    if ((rc = ftpCheckResponse(sock, NULL)))
+    if ((rc = ftpCheckResponse(sock, response)))
         return rc;
 
     return 0;
@@ -261,6 +260,7 @@ int ftpOpen(char *host, int family, char *name, char *password,
     struct sockaddr_in6 destPort6;
     struct passwd * pw;
     int rc = 0;
+    char *userReply;
 
     if (port < 0) port = IPPORT_FTP;
 
@@ -322,17 +322,22 @@ int ftpOpen(char *host, int family, char *name, char *password,
         return rc;     
     }
 
-    if ((rc = ftpCommand(sock, "USER", name, NULL))) {
+    if ((rc = ftpCommand(sock, &userReply, "USER", name, NULL))) {
         close(sock);
         return rc;
     }
 
-    if ((rc = ftpCommand(sock, "PASS", password, NULL))) {
-        close(sock);
-        return rc;
+    /* FTP does not require that USER be followed by PASS.  Anonymous logins
+     * in particular do not need any password.
+     */
+    if (!strncmp(userReply, "230", 3)) {
+        if ((rc = ftpCommand(sock, NULL, "PASS", password, NULL))) {
+            close(sock);
+            return rc;
+        }
     }
 
-    if ((rc = ftpCommand(sock, "TYPE", "I", NULL))) {
+    if ((rc = ftpCommand(sock, NULL, "TYPE", "I", NULL))) {
         close(sock);
         return rc;
     }

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list




