From: Daniel Stenberg Date: Mon, 21 Sep 2020 07:15:51 +0000 (+0200) Subject: ftp: separate FTPS from FTP over "HTTPS proxy" X-Git-Tag: curl-7_73_0~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1397a7de6e312e019a3b339f855ba0a5cafa9127;p=thirdparty%2Fcurl.git ftp: separate FTPS from FTP over "HTTPS proxy" When using HTTPS proxy, SSL is used but not in the view of the FTP protocol handler itself so separate the connection's use of SSL from the FTP control connection's sue. Reported-by: Mingtao Yang Fixes #5523 Closes #6006 --- diff --git a/lib/ftp.c b/lib/ftp.c index a5083be04d..3fd9cea2c4 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -2508,7 +2508,7 @@ static CURLcode ftp_state_loggedin(struct connectdata *conn) { CURLcode result = CURLE_OK; - if(conn->ssl[FIRSTSOCKET].use) { + if(conn->bits.ftp_use_control_ssl) { /* PBSZ = PROTECTION BUFFER SIZE. The 'draft-murray-auth-ftp-ssl' (draft 12, page 7) says: @@ -2659,14 +2659,8 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) } #endif - if(data->set.use_ssl && - (!conn->ssl[FIRSTSOCKET].use -#ifndef CURL_DISABLE_PROXY - || (conn->bits.proxy_ssl_connected[FIRSTSOCKET] && - !conn->proxy_ssl[FIRSTSOCKET].use) -#endif - )) { - /* We don't have a SSL/TLS connection yet, but FTPS is + if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) { + /* We don't have a SSL/TLS control connection yet, but FTPS is requested. Try a FTPS connection now */ ftpc->count3 = 0; @@ -2708,6 +2702,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) result = Curl_ssl_connect(conn, FIRSTSOCKET); if(!result) { conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */ + conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */ result = ftp_state_user(conn); } } @@ -3089,7 +3084,7 @@ static CURLcode ftp_block_statemach(struct connectdata *conn) * */ static CURLcode ftp_connect(struct connectdata *conn, - bool *done) /* see description above */ + bool *done) /* see description above */ { CURLcode result; struct ftp_conn *ftpc = &conn->proto.ftpc; @@ -3110,6 +3105,7 @@ static CURLcode ftp_connect(struct connectdata *conn, result = Curl_ssl_connect(conn, FIRSTSOCKET); if(result) return result; + conn->bits.ftp_use_control_ssl = TRUE; } Curl_pp_setup(pp); /* once per transfer */ diff --git a/lib/urldata.h b/lib/urldata.h index d0a0625cdc..5ee81770ea 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -469,6 +469,7 @@ struct ConnectBits { EPRT doesn't work we disable it for the forthcoming requests */ BIT(ftp_use_data_ssl); /* Enabled SSL for the data connection */ + BIT(ftp_use_control_ssl); /* Enabled SSL for the control connection */ #endif BIT(netrc); /* name+password provided by netrc */ BIT(bound); /* set true if bind() has already been done on this socket/ diff --git a/tests/data/test1631 b/tests/data/test1631 index cd36b1d9b0..8785119088 100644 --- a/tests/data/test1631 +++ b/tests/data/test1631 @@ -74,8 +74,6 @@ Proxy-Connection: Keep-Alive USER anonymous PASS ftp@example.com -PBSZ 0 -PROT P PWD EPSV TYPE I diff --git a/tests/data/test1632 b/tests/data/test1632 index b10b2a68ad..94577efdda 100644 --- a/tests/data/test1632 +++ b/tests/data/test1632 @@ -89,8 +89,6 @@ Proxy-Connection: Keep-Alive USER anonymous PASS ftp@example.com -PBSZ 0 -PROT P PWD EPSV TYPE I