curl-library
ftp.c ignores some SSL errors regardless of the curl_ftpssl setting
Date: Tue, 14 Mar 2006 16:48:43 +0000
In ftp.c's "case FTP_AUTH" statement, failure of the server to accept a
security mechanism is ultimately ignored, regardless of the curl_ftpssl
(data->set.ftp_ssl) value:
if((ftpcode == 234) || (ftpcode == 334)) {
...
}
else if(ftp->count3 < 1) {
ftp->count3++;
ftp->count1 += ftp->count2; /* get next attempt */
result = Curl_nbftpsendf(conn, "AUTH %s", ftpauth[ftp->count1]);
/* remain in this same state */
}
else
result = ftp_state_user(conn); [IGNORES ERRORS]
Looking at the values for curl_ftpssl in curl.h, shouldn't anything higher
than CURLFTPSSL_TRY cause this to be a fatal error? If not, how does the
caller indicate it should be?
For reference, here are the settings:
/* parameter for the CURLOPT_FTP_SSL option */
typedef enum {
CURLFTPSSL_NONE, /* do not attempt to use SSL */
CURLFTPSSL_TRY, /* try using SSL, proceed anyway otherwise */
CURLFTPSSL_CONTROL, /* SSL for the control connection or fail */
CURLFTPSSL_ALL, /* SSL for all communication or fail */
CURLFTPSSL_LAST /* not an option, never use */
} curl_ftpssl;
I propose changing the code from:
...
else
result = ftp_state_user(conn);
to code that will error out depending on the curl_ftpssl setting:
...
else {
if(data->set.ftp_ssl > CURLFTPSSL_TRY) {
/* we failed and CURLFTPSSL_CONTROL or CURLFTPSSL_ALL is set */
result = CURLE_FTP_SSL_FAILED;
} else {
/* ignore the failure and continue */
result = ftp_state_user(conn);
}
}
-David McCreedy
Received on 2006-03-14