[ZCM] [ZC] 255/ 1 Request "FTP login: wrong username/password will return "230 Login successful""

Thu, 28 Feb 2002 17:48:02 -0500

Issue #255 Update (Request) "FTP login: wrong username/password will return "230 Login successful""
 Status Pending, ZServer/bug medium
To followup, visit:
  http://collector.zope.org/Zope/255

==============================================================
= Request - Entry #1 by Anonymous User on Feb 28, 2002 5:48 pm

When logging in via FTP, entering any string as username or password will yield a "230 Login successful". While I can see why (an anonymous user might be allowed to connect via FTP), this is a problem for the built-in FTP client in Windows (2000/XP), i.e. when trying to create a "Network Place" (in "My Network Places"). This will not work without specifying the password in the actual URL (Windows will not query the user for the password).

Using ethereal will reveal that Windows, after sending the command "USER <username>" will send "PASS", without specifying a password. The expected response here is "530 Unauthorized" (if a password is required), and if such a reply is received, Windows will prompt the user for a password an try to login again. Zope however will reply "230 Login successful", which will lead Windows to believe that no password is required, trying to continue with file listing etc, which will fail.

The only way to connect to Zope via Windows "Network Place"-method is to specify both user name and password in the url (e.g. ftp://<username>:<password>@<hostname>/). Even if this works, the password is displayed in clear text in Windows Explorer and while connected, which is clearly inappropriate.
==============================================================