search

axel-download-accelerator / axel

Lightweight CLI download accelerator
GNU General Public License v2.0
2.84k stars 258 forks source link

FTP password can include '@' character #413

Closed DoubleChuang closed 3 months ago

DoubleChuang commented 7 months ago

I can not use the FTP URL such as ftps://username:pass@word@ftp.host.com

DoubleChuang commented 7 months ago

https://github.com/axel-download-accelerator/axel/blob/master/src/conn.c#L122

Lordakius commented 7 months ago

I would suggest to not enter passwords in this way. See also this on stackexchange.

*edit: Regardless, according to RFC1738, more specifically section 5, it is clearly defined that:

login          = [ user [ ":" password ] "@" ] hostport
password       = *[ uchar | ";" | "?" | "&" | "=" ]

so I would argue that having an '@'-character in your password does not conform to the RFC

DoubleChuang commented 6 months ago

I would suggest to not enter passwords in this way. See also this on stackexchange.

*edit: Regardless, according to RFC1738, more specifically section 5, it is clearly defined that:

login          = [ user [ ":" password ] "@" ] hostport
password       = *[ uchar | ";" | "?" | "&" | "=" ]

so I would argue that having an '@'-character in your password does not conform to the RFC

Hi @Lordakius

I think user and password defined by RFC1738 can use '@' character because the "@" character is the number 64 in uchar(0-255) code

user           = *[ uchar | ";" | "?" | "&" | "=" ]
password       = *[ uchar | ";" | "?" | "&" | "=" ]
ismaell commented 3 months ago

No, unescaped @ isn't allowed, since it is reserved in RFC1738:

; Miscellaneous definitions
lowalpha       = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" |
                 "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p" |
                 "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x" |
                 "y" | "z"
hialpha        = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" |
                 "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" |
                 "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z"
alpha          = lowalpha | hialpha
digit          = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
                 "8" | "9"
safe           = "$" | "-" | "_" | "." | "+"
extra          = "!" | "*" | "'" | "(" | ")" | ","
reserved       = ";" | "/" | "?" | ":" | "@" | "&" | "="
hex            = digit | "A" | "B" | "C" | "D" | "E" | "F" |
                 "a" | "b" | "c" | "d" | "e" | "f"
escape         = "%" hex hex
unreserved     = alpha | digit | safe | extra
uchar          = unreserved | escape

On top of that RFC3986 deprecates login information in URLs.