gvfs sends arbitrary FTP password even when no password was given (empty password)

From: M Z <magez magez gmail com>
To: gvfs-list gnome org
Subject: gvfs sends arbitrary FTP password even when no password was given (empty password)
Date: Fri, 28 Dec 2012 00:35:39 +0100

Hello,

when connecting to FTP server with user account with empty password,
gvfs sends "gvfsd-ftp-1 12 3 example com" as password. Some FTP
servers are OK with this (e.g. proftpd), but some not (e.g. Mikrotik
routers) and connection is rejected with  "530 Login incorrect"
message (default user account on Mikrotik routers is admin with empty
password).

The arbitrary password is generated in /daemon/gvfsftptask.c file:

 if (G_VFS_FTP_RESPONSE_GROUP (status) == 3)
    {
      if (password == NULL || password[0] == 0)
        password = "gvfsd-ftp-" VERSION "@example.com";
      status = g_vfs_ftp_task_send (task, 0,
                                    "PASS %s", password);
    }


I believe statement "password[0] == 0" in the condition here
"violates" FTP RFCs - the FTP related RFCs don't specify password
complexity AFAIK, and therefore should be possible to use empty
passwords for regular communication. :)


Thanks for you time. :)

best regards


Matej

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]