GNOME Bugzilla – Bug 538432
FTP URLs ftp://user:pass@example.com/ do not work
Last modified: 2012-03-28 15:58:48 UTC
Please describe the problem: If I Ctrl+L to a FTP location, and I enter the URL in the form ftp://user:pass@example.com/ Nautilus will take "user:pass" as username and ask for a password, which (of course) won't work out. It should split "user:pass" into username and password fields and use them to authenticate. To avoid this bug, I have to enter ftp://user@example.com/ and only enter the password when asked for it. The above URL scheme (with password included) is an allowed representation of an URL, as described in RFC1738, Section 3.1. Nautilus/GVFS should accept URLs like "ftp://user:pass@example.com/" and use the specified password accordingly. Steps to reproduce: 1. Have an FTP account with authentication 2. Press Ctrl+L and enter ftp://[your-username]:[your-password]@[servername]/ 3. Have Nautilus ask for a password, enter your password Actual results: Nautilus uses "[your-username]:[your-password]" as username and the password entered in the password dialog to authenticate to the FTP server Expected results: Nautilus uses "[your-username]" as username and "[your-password]" as password to authenticate to the FTP server and does NOT ask for the password again Does this happen every time? Yes Other information:
I've just confirmed this issue by running Wireshark locally. Nautilus/GVFS indeed uses the username + ":" + password (as specified in the URL) to authenticate to the server. This could also be seen as a security bug, as the password would probably appear in the server's logs ("user XXXX login failed", where XXXX includes the username, the colon and the password) - security issue?
I have not the permissions, but as Jani pointed out I think as well this is a dupe of bug #628430
Okay, let's close it as a duplicate of that, since it has an interesting discussion. *** This bug has been marked as a duplicate of bug 628430 ***