[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev lynx: ftp anonymous password
|
From: |
David Mosher |
|
Subject: |
Re: lynx-dev lynx: ftp anonymous password |
|
Date: |
Tue, 19 Feb 2002 13:16:08 -0500 |
|
User-agent: |
Mutt/1.2.5i |
Sat 2002.02.16 13:01 +0000, in message
<address@hidden>, RobertM <address@hidden> wrote,
> It is alleged that Eduardo Pérez once typed:
[...]
> > What's more important, no program should send private information
> > without the user knowledge.
>
> Lynx doesn't send private information without the users knowledge,
> assuming that the user reads the documentation:
>
> For anonymous ftp, Lynx uses your personal_mail_address (address@hidden) as
> the password if it has been defined via the 'o'ptions menu. Otherwise,
> Lynx uses the dummy password WWWUser.
>
> Quoted from: lynx/lynx_help/lynx_url_support.html#ftp
>
> So no problem on that front.
The code appears to be at odds with the quoted documentation.
I append the relevant portion of HTFPT.c from the 2.8.4 release. (At a
quick glance, this portion looks unchanged from the 2.8.3 release.) The
password for anonymous FTP is constructed thusly (omitting a couple
details):
1. If personal_mail_address (read from .lynxrc) is non-null, use it.
2. Otherwise, look in the user's environment for USER. If $USER is
non-null, use the concatenation of $USER, '@', and the string returned
by HTHostName().
3. Otherwise (only when *both* personal_mail_address and $USER are null),
use the concatenation of "WWWUser@" and the string returned by
HTHostName().
The documentation neglects to mention what I have labeled step 2. On
Unix/Linux, as long as HTHostName() (defined in HTTCP.c) returns the right
thing, this step almost certainly will produce a valid e-address, even
though the user never entered one into .lynxrc (using the o'ptions menu, or
otherwise).
Sr Pérez's claim in this regard seems justified.
Those who wish to address this issue for their own use immediately, before
recompiling with Sr Pérez's previously proposed change or while awaiting
whatever change may arise from this thread, might consider entering
"WWWUser@" as the value for personal_mail_address in .lynxrc (most easily
done using the o'ptions menu within Lynx). This will avert Lynx's possibly
successful effort to generate an e-address with USER and approximate the
behavior claimed by the documentation. The obviously ill-formed e-address
"WWWUser@" will be submitted by Lynx as the password for anonymous FTPs.
(FTP servers are, of course, at liberty to reject it.)
Note that if just "WWWUser" is entered for personal_mail_address, Lynx will
concatenate that string with '@' and (probably) the string returned by
HTHostName() (one of the details omitted in the above synopsis), resulting
in a (probably) targetless e-address that isn't obviously invalid. To me,
this seems marginally less desirable, if only because it makes it slightly
more likely that e-mail will arrive at the local system addressed to
WWWUser@<hostname>. (Which, to be sure, might also happen in the case
above, if the FTP server's system puts the "WWWUser@" together with the
hostname it also logged.)
--
David Mosher <address@hidden>
======================================================================
lynx2-8-4/WWW/Library/Implementation/HTFTP.c
2001.06.03 12:58; 100578 bytes; CRC-32 = 935a4ab0; line 855
----------------------------------------------------------------------
/*
* Create and send a mail address as the password. - FM
*/
char *user = NULL;
CONST char *host = NULL;
char * cp;
if (personal_mail_address && *personal_mail_address) {
/*
* We have a non-zero length personal
* mail address, so use that. - FM
*/
StrAllocCopy(user, personal_mail_address);
if ((cp=strchr(user, '@')) != NULL) {
*cp++ = '\0';
host = cp;
} else {
host = HTHostName();
}
} else {
/*
* Use an environment variable and the host global. - FM
*/
if ((cp=getenv("USER")) != NULL)
StrAllocCopy(user, cp);
else
StrAllocCopy(user, "WWWuser");
host = HTHostName();
}
/*
* If host is not fully qualified, suppress it
* as ftp.uu.net prefers a blank to a bad name
*/
if (!(host) || strchr(host, '.') == NULL)
host = "";
HTSprintf0(&command, "PASS address@hidden", user, host, CR, LF);
FREE(user);
======================================================================
; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden
- lynx-dev lynx: ftp anonymous password, Eduardo Pérez, 2002/02/15
- Re: lynx-dev lynx: ftp anonymous password, Doug Kaufman, 2002/02/15
- lynx-dev Re: lynx: ftp anonymous password, Eduardo Pérez, 2002/02/15
- Re: lynx-dev lynx: ftp anonymous password, David Mosher, 2002/02/15
- Re: lynx-dev lynx: ftp anonymous password, Eduardo Pérez, 2002/02/16
- Re: lynx-dev lynx: ftp anonymous password, RobertM, 2002/02/16
- Re: lynx-dev lynx: ftp anonymous password, Al Gilman, 2002/02/16
- Re: lynx-dev lynx: ftp anonymous password, Duncan Simpson, 2002/02/16
- Re: lynx-dev lynx: ftp anonymous password, Walter Ian Kaye, 2002/02/17
- Re: lynx-dev lynx: ftp anonymous password,
David Mosher <=
Re: lynx-dev lynx: ftp anonymous password, RobertM, 2002/02/16
Re: lynx-dev lynx: ftp anonymous password, David Woolley, 2002/02/15
Re: lynx-dev lynx: ftp anonymous password, David Mosher, 2002/02/17