bin/89403: fetch(1) doesn't honour authentication credentials when
going through a proxy
Edwin Groothuis
edwin at mavetju.org
Tue Nov 22 02:50:31 GMT 2005
>Number: 89403
>Category: bin
>Synopsis: fetch(1) doesn't honour authentication credentials when going through a proxy
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 22 02:50:23 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Edwin Groothuis
>Release: FreeBSD 5.4-RELEASE i386
>Organization:
-
>Environment:
System: FreeBSD tinderbox.barnet.com.au 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root at harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
When trying this URL on a machine without HTTP_PROXY defined:
$ fetch ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo
fetch: ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo: File unavailable (e.g., file not found, no access)
But when running it on a machine with HTTP_PROXY defined:
$ fetch ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo
fetch: ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo: Unauthorized
Network trace gives this:
T 10.192.1.5:61229 -> 202.83.176.9:8080 [AP]
GET ftp://3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo HTTP/1.1..
##
T 10.192.1.5:61229 -> 202.83.176.9:8080 [AP]
Host: 3dgamers.mirror.internode.on.net..Authorization: Basic M2RncjM1Zzptcj
IzZzIzOWE=..User-Agent: fetch libfetch/2.0..Connection: close....
And towards the FTP server:
T 203.16.214.173:21 -> 202.83.176.9:1982 [AP]
220 203.16.214.173 FTP server ready..
#
T 202.83.176.9:1982 -> 203.16.214.173:21 [AP]
USER anonymous..
##
T 203.16.214.173:21 -> 202.83.176.9:1982 [AP]
331 Password required for anonymous...
#
T 202.83.176.9:1982 -> 203.16.214.173:21 [AP]
PASS Squid at ..
When telnetting to the proxy and entering this command:
GET ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo HTTP/1.1
I see this on the line:
220 203.16.214.173 FTP server ready..
#
T 202.83.176.9:3880 -> 203.16.214.173:21 [AP]
USER 3dgr35g..
##
T 203.16.214.173:21 -> 202.83.176.9:3880 [AP]
331 Password required for 3dgr35g...
#
T 202.83.176.9:3880 -> 203.16.214.173:21 [AP]
PASS mr23g239a..
#
T 203.16.214.173:21 -> 202.83.176.9:3880 [AP]
230 Anonymous access granted, restrictions apply...
which is exactly what I expected in the first place.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list