Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
libcurl believes that FTP control channel is secure when connecting through a HTTPS proxy #5523
I did this
curl_easy_setopt(curl, CURLOPT_URL, "ftp://some.ftp.server"); curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_FTP); curl_easy_setopt(curl, CURLOPT_HTTPPROXYTUNNEL, 1); curl_easy_setopt(curl, CURLOPT_PROXY, "proxy:443"); curl_easy_setopt(curl, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS); curl_easy_setopt(curl, CURLOPT_USERPWD, "...");
I observed the following:
curl correctly connects to the HTTPS proxy and issues a CONNECT to establish an (insecure) control connection to the destination FTP server.
The issue, I believe, is due to these lines here:
After libcurl authenticates on the control connection, it sends the
Normally, this would not be an issue, but in one bizarre case, the FTP server was responding with "200" in response to the
Tested on trunk (as of 2020/06/04), on commit c048dd0.
Linux localhost 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux