TC does not decode FTP user/password from URL

Flint · Post by *Flint » 2012-03-26, 12:30 UTC

1. Press Ctrl+N to initiate a new FTP connection.
2. Enter an FTP address with user and/or password specified directly in the URL, but replace one or more characters with their hex-code representation, like this:
ftp://te%73ter@192.168.0.1
(here the character "s" was replaced with "%73")
3. Set up a Wireshark or some similar tool on the client or the server to watch the real contents of the TCP/IP packets sent.
4. Press OK in the TC dialog.
5. TC sends the username/password exactly in the form they were given by the user (that is without decoding "%73" back into "s"), therefore the server would not accept it.

Some clarification.
According to rfc3986, the userinfo part (which contains username and password, though the latter is now considered deprecated) can be written using the hex-code representation (so-called "pct-encoded"). In particular, it has to be so to allow including special characters. For example, if the password contains a slash character (e.g. "pass/word"), it cannot be written directly, because the URL ftp://tester:pass/word@exacmple.com would mean that "tester:pass" is the host name. And if you replace the slash with its hex form, like in ftp://tester:pass%2Fword@exacmple.com, TC just sends the password exactly as "pass%2Fword", and it is not accepted by the server.

Post by *ghisler(Author) » 2012-03-26, 13:46 UTC

Sorry, TC saves the URLs without this encoding, and it also loads them without it. Changing it now would most certainly break many download files. Therefore I will not change it.

Flint · Post by *Flint » 2012-03-26, 13:51 UTC

ghisler(Author)
I don't tell anything about saving or loading. What my report is about is that TC should decode the username and password values when sending them via the USER and PASS commands during establishing FTP connection.

If you are afraid it would break existing connections for some users, you could make an option for it, disabled by default. Slash character in a password is not an imaginary situation, it was reported on one of the Russian forums.

Post by *ghisler(Author) » 2012-03-26, 14:19 UTC

What I wanted to say is that would probably break more than it would actually help. If users really want to use slashes in user names, they need to define an ftp connection in Ctrl+F instead of using an URL.

Flint · Post by *Flint » 2012-03-26, 14:25 UTC

ghisler(Author) wrote:What I wanted to say is that would probably break more than it would actually help.

That's why I suggested to make an option for those who know what they are doing. After all, RFC is not a document to discard so simply… IMHO, of course.

Post by *ghisler(Author) » 2012-03-30, 10:27 UTC

OK, I have added it now just for you, please test it!
DecodePercent=1
in wcx_ftp.ini.

Flint · Post by *Flint » 2012-03-30, 12:46 UTC

ghisler(Author)
Thanks! Quick test did not reveal any problems.

Post by *ghisler(Author) » 2012-04-02, 13:23 UTC

Thanks for trying it!