117 lines
3.7 KiB
Diff
117 lines
3.7 KiB
Diff
From 1397a7de6e312e019a3b339f855ba0a5cafa9127 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 21 Sep 2020 09:15:51 +0200
|
|
Subject: [PATCH] ftp: separate FTPS from FTP over "HTTPS proxy"
|
|
|
|
When using HTTPS proxy, SSL is used but not in the view of the FTP
|
|
protocol handler itself so separate the connection's use of SSL from the
|
|
FTP control connection's sue.
|
|
|
|
Reported-by: Mingtao Yang
|
|
Fixes #5523
|
|
Closes #6006
|
|
|
|
---
|
|
lib/ftp.c | 16 ++++++----------
|
|
lib/urldata.h | 1 +
|
|
tests/data/test1631 | 2 --
|
|
tests/data/test1632 | 2 --
|
|
4 files changed, 7 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/lib/ftp.c b/lib/ftp.c
|
|
index e68086f..b489de6 100644
|
|
--- a/lib/ftp.c
|
|
+++ b/lib/ftp.c
|
|
@@ -2504,7 +2504,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn)
|
|
{
|
|
CURLcode result = CURLE_OK;
|
|
|
|
- if(conn->ssl[FIRSTSOCKET].use) {
|
|
+ if(conn->bits.ftp_use_control_ssl) {
|
|
/* PBSZ = PROTECTION BUFFER SIZE.
|
|
|
|
The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says:
|
|
@@ -2649,14 +2649,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
|
}
|
|
#endif
|
|
|
|
- if(data->set.use_ssl &&
|
|
- (!conn->ssl[FIRSTSOCKET].use
|
|
-#ifndef CURL_DISABLE_PROXY
|
|
- || (conn->bits.proxy_ssl_connected[FIRSTSOCKET] &&
|
|
- !conn->proxy_ssl[FIRSTSOCKET].use)
|
|
-#endif
|
|
- )) {
|
|
- /* We don't have a SSL/TLS connection yet, but FTPS is
|
|
+ if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
|
|
+ /* We don't have a SSL/TLS control connection yet, but FTPS is
|
|
requested. Try a FTPS connection now */
|
|
|
|
ftpc->count3 = 0;
|
|
@@ -2701,6 +2695,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
|
|
result = Curl_ssl_connect(conn, FIRSTSOCKET);
|
|
if(!result) {
|
|
conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
|
|
+ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
|
|
result = ftp_state_user(conn);
|
|
}
|
|
}
|
|
@@ -3091,7 +3086,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn)
|
|
*
|
|
*/
|
|
static CURLcode ftp_connect(struct connectdata *conn,
|
|
- bool *done) /* see description above */
|
|
+ bool *done) /* see description above */
|
|
{
|
|
CURLcode result;
|
|
struct ftp_conn *ftpc = &conn->proto.ftpc;
|
|
@@ -3112,6 +3107,7 @@ static CURLcode ftp_connect(struct connectdata *conn,
|
|
result = Curl_ssl_connect(conn, FIRSTSOCKET);
|
|
if(result)
|
|
return result;
|
|
+ conn->bits.ftp_use_control_ssl = TRUE;
|
|
}
|
|
|
|
Curl_pp_init(pp); /* init the generic pingpong data */
|
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
index 8fd9e26..075c88d 100644
|
|
--- a/lib/urldata.h
|
|
+++ b/lib/urldata.h
|
|
@@ -472,6 +472,7 @@ struct ConnectBits {
|
|
EPRT doesn't work we disable it for the forthcoming
|
|
requests */
|
|
BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */
|
|
+ BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */
|
|
#endif
|
|
BIT(netrc); /* name+password provided by netrc */
|
|
BIT(bound); /* set true if bind() has already been done on this socket/
|
|
diff --git a/tests/data/test1631 b/tests/data/test1631
|
|
index cd36b1d..8785119 100644
|
|
--- a/tests/data/test1631
|
|
+++ b/tests/data/test1631
|
|
@@ -74,8 +74,6 @@ Proxy-Connection: Keep-Alive
|
|
<protocol>
|
|
USER anonymous
|
|
PASS ftp@example.com
|
|
-PBSZ 0
|
|
-PROT P
|
|
PWD
|
|
EPSV
|
|
TYPE I
|
|
diff --git a/tests/data/test1632 b/tests/data/test1632
|
|
index b10b2a6..94577ef 100644
|
|
--- a/tests/data/test1632
|
|
+++ b/tests/data/test1632
|
|
@@ -89,8 +89,6 @@ Proxy-Connection: Keep-Alive
|
|
<protocol>
|
|
USER anonymous
|
|
PASS ftp@example.com
|
|
-PBSZ 0
|
|
-PROT P
|
|
PWD
|
|
EPSV
|
|
TYPE I
|
|
--
|
|
2.23.0
|
|
|