bin/89403: fetch(1) doesn't honour authentication credentials when going through a proxy

Edwin Groothuis edwin at mavetju.org
Tue Nov 22 02:50:31 GMT 2005 

>Number:         89403
>Category:       bin
>Synopsis:       fetch(1) doesn't honour authentication credentials when going through a proxy
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 22 02:50:23 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Edwin Groothuis
>Release:        FreeBSD 5.4-RELEASE i386
>Organization:
-
>Environment:
System: FreeBSD tinderbox.barnet.com.au 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May  8 10:21:06 UTC 2005     root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

>Description:

When trying this URL on a machine without HTTP_PROXY defined:
$ fetch ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo
fetch: ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo: File unavailable (e.g., file not found, no access)

But when running it on a machine with HTTP_PROXY defined:
$ fetch ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo
fetch: ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo: Unauthorized

Network trace gives this:
T 10.192.1.5:61229 -> 202.83.176.9:8080 [AP]
  GET ftp://3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo HTTP/1.1..
##
T 10.192.1.5:61229 -> 202.83.176.9:8080 [AP]
  Host: 3dgamers.mirror.internode.on.net..Authorization: Basic M2RncjM1Zzptcj
  IzZzIzOWE=..User-Agent: fetch libfetch/2.0..Connection: close....          

And towards the FTP server:
T 203.16.214.173:21 -> 202.83.176.9:1982 [AP]
  220 203.16.214.173 FTP server ready..                                      
#
T 202.83.176.9:1982 -> 203.16.214.173:21 [AP]
  USER anonymous..                                                           
##
T 203.16.214.173:21 -> 202.83.176.9:1982 [AP]
  331 Password required for anonymous...                                     
#
T 202.83.176.9:1982 -> 203.16.214.173:21 [AP]
  PASS Squid at ..                                                              

When telnetting to the proxy and entering this command:
GET ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo HTTP/1.1

I see this on the line:
  220 203.16.214.173 FTP server ready..                                      
#
T 202.83.176.9:3880 -> 203.16.214.173:21 [AP]
  USER 3dgr35g..                                                             
##
T 203.16.214.173:21 -> 202.83.176.9:3880 [AP]
  331 Password required for 3dgr35g...                                       
#
T 202.83.176.9:3880 -> 203.16.214.173:21 [AP]
  PASS mr23g239a..                                                           
#
T 203.16.214.173:21 -> 202.83.176.9:3880 [AP]
  230 Anonymous access granted, restrictions apply...                        

which is exactly what I expected in the first place.

>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list