Last Comment Bug 101027 - Prefs: improve ftp password when "advanced.mailftp"=false
: Prefs: improve ftp password when "advanced.mailftp"=false
Status: VERIFIED FIXED
: testcase
Product: Core
Classification: Components
Component: Networking: FTP (show other bugs)
: Trunk
: x86 Windows 2000
: -- major (vote)
: mozilla0.9.5
Assigned To: Bradley Baetz (:bbaetz)
: benc
Mentors:
ftp://ftp.CPAN.org
: 117794 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2001-09-21 14:43 PDT by Sivakiran Tummala
Modified: 2006-08-16 07:41 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (606 bytes, patch)
2001-09-28 18:46 PDT, Bradley Baetz (:bbaetz)
dougt: review+
darin.moz: superreview+
Details | Diff | Review
ftp anonymous password (1.03 KB, patch)
2001-11-23 01:24 PST, epu
no flags Details | Diff | Review

Description Sivakiran Tummala 2001-09-21 14:43:08 PDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2)
Gecko/20010726 Netscape6/6.1
BuildID:    2001-09-12-05

"mozilla@" is passed as passwd when visiting the site ftp://ftp.CPAN.org
username - anonymous 
passwd - mozilla@ //causing it to break 
an alert is shown saying "mozilla@ is not a valid passwd"
works fine in Linux.


Reproducible: Always

Actual Results:  alert pops up. 

Expected Results:  show the directory listing of CPAN ftp site
Comment 1 neeti 2001-09-24 09:43:04 PDT
darin
Comment 2 Darin Fisher 2001-09-24 18:41:35 PDT
-> ftp (bbaetz)
Comment 3 Bradley Baetz (:bbaetz) 2001-09-24 19:04:18 PDT
Confirming with 0.9.4.

We should send mozilla@example.com as the default, I guess.

dougt?
Comment 4 benc 2001-09-24 19:32:15 PDT
Set "Prefs |Advanced | "Send this email address as anonymous FTP password".
If that works, this is a dupe of bug 57763.
Comment 5 Bradley Baetz (:bbaetz) 2001-09-24 19:51:43 PDT
benc: no.

This worked on and off for both me and darin. The problem is that mozilla@ is
not a valid email address, and some ftp servers are picky.

The default should be changed
Comment 6 Doug Turner (:dougt) 2001-09-25 07:46:24 PDT
No.  We can not specify a dummy domain.  

Instead we should check against this server response and ask the user for a
username/password.

(note that other ftp clients have the same problem)
Comment 7 Bradley Baetz (:bbaetz) 2001-09-25 08:42:00 PDT
Why not? example.com is a domain which is guaranteed to never really exist.

We could do mozilla@{myHostName} though, but that would leak info if there was a
firewall in the middle.
Comment 8 Sivakiran Tummala 2001-09-25 10:30:44 PDT
my experience regarding these anonymous ftp servers is they just check for 
@ followed by some text and a dot in the email address. most of the ftp servers
will let you in even if the email address is wrongly formated, but suggest to
use something like "abc@domain.com" when visiting next time. CPAN was picky. 
is it possible to check for the sanity of email address before sending so that
this problem will not occur and if it is not in rite format just format it
Comment 9 benc 2001-09-25 13:57:19 PDT
bbaetz:

-re: "no"... Uh, my point is: the user can fix the problem themselves. The
summary didn't say "the default value fails w/ some servers."

-re example.com: I guess it wouldn't hurt. what do IE and Comm do? (Does anyone
have a URL that guarentees that "example.com" will never be used for perpetuity?

I was just reading RFC 1630, which says:

FTP

   The ftp: prefix indicates that the FTP protocol is used, as defined
   in STD 9, RFC 959 or any successor.  The port number, if present,
   gives the port of the FTP server if not the FTP default.

   User name and password

      The syntax allows for the inclusion of a user name and even a
      password for those systems which do not use the anonymous FTP
      convention. The default, however, if no user or password is
      supplied, will be to use that convention, viz. that the user name
      is "anonymous" and the password the user's Internet-style mail
      address.

      Where possible, this mail address should correspond to a usable
      mail address for the user, and preferably give a DNS host name
      which resolves to the IP address of the client.  Note that servers
      currently vary in their treatment of the anonymous password.

In this light, it seems to me that we might want to have a radio button w/ more
sophisticated password settings (our default string, some address in an email
account you have configed, some reverse-lookup based address, or your custom string.

This might be yet another RFE, which I will create if you want to talk about
just editing this pref.

meanwhile, I've corrected the summary.
BTW, this pref name was not a great choice, can't we move it to "network.ftp.*"
before it is too late?

Comment 10 Bradley Baetz (:bbaetz) 2001-09-25 14:47:07 PDT
benc: Lets not get complicated. If we're going to send a bogus value by default,
lets send a semanticly valid bogus one.
Comment 11 Sivakiran Tummala 2001-09-25 15:14:57 PDT
ben,
i understand what u r saying, but people may not set the default value, in that
case browser has to set some value something like "profilename@mozilla.org" or
something like that
Comment 12 benc 2001-09-27 17:14:24 PDT
I'm not getting complicated, I'm just getting some standards advocacy in sideways :)

I didn't pick "mozilla@"... Heck, I never even thought it would work for a lot
of servers, but nobody ever objected until now...

What are our friends "IE and Comm" using?

re: <PROFILENAME> you pick that and mitchell probably have to get involved.

Comment 13 Bradley Baetz (:bbaetz) 2001-09-27 18:16:04 PDT
the default should be mozilla@example.com unless someone has large objections.

benc: nn4.77 for unix sends "mozilla@"
Comment 14 Sivakiran Tummala 2001-09-28 09:57:05 PDT
no problem as long as it is a semanticaly valid email address :)
Comment 15 benc 2001-09-28 18:20:31 PDT
Actually picking a domain brainlessly can get you in a lot of trouble. Look at
http://www.localhost.com.

I checked, and "example.com" is not in DNS. I'd prefer to know it's reserved as
bogus, but you get to decide, all I'm here to do is verify :)
Comment 16 Sivakiran Tummala 2001-09-28 18:24:31 PDT
how about using some busted dot com's :)
Comment 17 Bradley Baetz (:bbaetz) 2001-09-28 18:39:22 PDT
example.com is reserved. http://www.rfc-editor.org/rfc/rfc2606.txt

We could use mozilla@mozilla.example but I prefer the first.
Comment 18 Bradley Baetz (:bbaetz) 2001-09-28 18:46:47 PDT
Created attachment 51372 [details] [diff] [review]
patch
Comment 19 Doug Turner (:dougt) 2001-10-01 07:02:18 PDT
I don't like this solution as much as i like what other clients do.  Why don't
we just pop up an dialog asking for the user for another username/password pair?
Comment 20 Bradley Baetz (:bbaetz) 2001-10-01 07:50:06 PDT
I think that it would be confusing to pop up the dialog. It doesn't have a
problem with anonymous login, just the bogus email address. why not give it a
'real' one which is invalid?
Comment 21 Doug Turner (:dougt) 2001-10-01 10:31:25 PDT
Comment on attachment 51372 [details] [diff] [review]
patch

please add a comment above this line that mentions the RFC which provides that example.com is valid/legal.
Comment 22 Darin Fisher 2001-10-01 12:18:04 PDT
Comment on attachment 51372 [details] [diff] [review]
patch

sr=darin
Comment 23 Bradley Baetz (:bbaetz) 2001-10-02 15:49:31 PDT
I checked this in last night, but forgot to mark it fixed. Oops.
Comment 24 Bradley Baetz (:bbaetz) 2001-10-02 15:49:51 PDT
...and now I jsut forgot to mark it fixed.
Comment 25 Sivakiran Tummala 2001-10-12 10:37:23 PDT
verified. works for me on linux build 10-10-04
Comment 26 epu 2001-11-23 01:24:31 PST
Created attachment 58946 [details] [diff] [review]
ftp anonymous password

I send you a patch to correct ftp anonymous passwd.

There are three problems with the current approach:
- Some stupid servers try to check that what goes after @ exists
  and delay the login and could deny login if the example.com
  name goes down.
- Sending anything that's not anonymous@ as password is not anonymous
  by definition
- Spyware is not a good idea, most users don't like it.

As more and more ftp clients are moving to this anonymous@ password
(for example the kde kio ftp, qt3, gnome-xml)
I recommend you to apply the patch.
Comment 27 Bradley Baetz (:bbaetz) 2001-11-24 08:13:07 PST
No, we have to send a hostname - if we don't, then some sites won't let us in,
because its not a valid addess, which is why this bug was filed in teh first place.

>- Some stupid servers try to check that what goes after @ exists
>  and delay the login and could deny login if the example.com
>  name goes down.

example.com doesn't have a DNS entry, and never will, which is why its used. If
the root namesevers are timing out looking up that, the net is having much
greater problems.

Can you give an url for a server which denies access because example.com does
not exist?

>- Sending anything that's not anonymous@ as password is not anonymous
>  by definition

this is the 'password', not the username. The username is 'anonymous', which is
the custom for this sort of thing (its not technically in any standard, but
people use it)

>- Spyware is not a good idea, most users don't like it.

How is this spyware?? The most it does is let another site know that you may be
using a mozilla based product, which is less that the useragent string or
navigator.appName gives you. We only send your real email address if you check
the box in preferences to do so.
Comment 28 epu 2001-12-25 13:23:30 PST
> No, we have to send a hostname - if we don't, then some sites won't let us in,
> because its not a valid addess, which is why this bug was filed in teh first
place.

Can you give an url for a server which denies access because you don't
send a hostname?

It can't be invalid because IE sends "IEUser@". If a server denies access
when there isn't a hostname, it's denying access to half the requests !!!

> >- Some stupid servers try to check that what goes after @ exists
> >  and delay the login and could deny login if the example.com
> >  name goes down.
>
> example.com doesn't have a DNS entry, and never will, which is why its used.
If
> the root namesevers are timing out looking up that, the net is having much
> greater problems.
>
> Can you give an url for a server which denies access because example.com does
> not exist?

I know servers that check the hostname against DNS and delay login by
that amount of time.

> >- Sending anything that's not anonymous@ as password is not anonymous
> >  by definition
> >- Spyware is not a good idea, most users don't like it.
>
> How is this spyware?? The most it does is let another site know that you may
be
> using a mozilla based product, which is less that the useragent string or
> navigator.appName gives you. We only send your real email address if you check
> the box in preferences to do so.

Why do you think sending the useragent string is a good idea ? It isn't.
Do you know sites that deny http requests if you are not using IE ?
Monopoly tried to do so in its portal.

If you send "mozilla@example.com" instead of "anonymous@"
apart from being a privacy leak you are helping sites to
discriminate based on user agent and no user wants that.

Would you at least consider using "anonymous@example.com" ?
(I prefer using "anonymous@" as it's used by some ftp clients like
kde kio ftp, qt3, gnome-xml, libnet-perl)
Comment 29 Boris Zbarsky [:bz] 2002-01-02 17:46:00 PST
*** Bug 117794 has been marked as a duplicate of this bug. ***
Comment 30 Bradley Baetz (:bbaetz) 2002-01-10 03:48:11 PST
cpan does - see comment 0. Only one or two servers did it, and the dns entry
round robin's on where you are in the world, so you may not be able to reproduce
it. I managed from Montreal, though.

mozilla@ has been used for ages, and itcan be changed by the user.

Remarking as FIXED
Comment 31 benc 2002-06-07 07:40:59 PDT
VERIFIED:
this is in the functional test.
Comment 32 debian user 2006-08-16 07:41:27 PDT
advanced.ftp does NOT work in conjunction with network.ftp.anonymous_password!

only
(advanced.mailftp, true) works!

you should change
http://www.mozilla.org/quality/networking/docs/netprefs.html

Note You need to log in before you can comment on or make changes to this bug.