Re: [ftpext] New Version of FTP HASH, RANG, LOCK, and HOST

Anthony Bryan <> Sun, 10 March 2013 00:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B1ED721F8493 for <>; Sat, 9 Mar 2013 16:19:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AyRMblmXNTV1 for <>; Sat, 9 Mar 2013 16:19:25 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c01::22a]) by (Postfix) with ESMTP id C10C221F8480 for <>; Sat, 9 Mar 2013 16:19:24 -0800 (PST)
Received: by with SMTP id d42so1051994qca.15 for <>; Sat, 09 Mar 2013 16:19:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=zDhNxgwl2A09fYQEzQGHp3sEo7dNd3Bvye+LZtw1nn4=; b=K8cUzAYX2lDPbIkTygRG9oLPdiNL2Lh+j/iFQsIXx5rjkvTdGN75U9P572DcMHaQsC O76uD1UUT6e4CiY25uhDQ5+vhlVhjY6KxEZxB9TQJseFifSz0SOGpPZAxRX93Aio/sBH Qh1ZpIHfXjXWDZ0mBq1xOJjr9CSfc/Na5G/y7jv1j1A1b8sUwLLaFU5x3w+1S2EVkbtt Hj+qXevLR+2pwmZM/FoEgZSwbpIY05YE8vR6ZX0nJAkvnK3bWV3R3FvUfI3sh+lDX35J RjhlzOmFCW02BhnN6r0mf05TsEnCir9XzGeiQmbpJ2E84nKUjZqTAzmrTldFcCwsEb0n hsuA==
MIME-Version: 1.0
X-Received: by with SMTP id hg8mr10854262qab.74.1362874763939; Sat, 09 Mar 2013 16:19:23 -0800 (PST)
Received: by with HTTP; Sat, 9 Mar 2013 16:19:23 -0800 (PST)
In-Reply-To: <041801cdfce8$98df0fa0$ca9d2ee0$>
References: <> <041801cdfce8$98df0fa0$ca9d2ee0$>
Date: Sat, 9 Mar 2013 19:19:23 -0500
Message-ID: <>
From: Anthony Bryan <>
To: Alun Jones <>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "" <>, Daniel Stenberg <>
Subject: Re: [ftpext] New Version of FTP HASH, RANG, LOCK, and HOST
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 10 Mar 2013 00:19:25 -0000

thanks for the comments!

see diff for changes:

On Sun, Jan 27, 2013 at 6:46 PM, Alun Jones <> wrote:
> After reading the LOCK draft, I have a couple of comments:
> 0. RFC 959 already defines a mechanism - Block Mode over the default port -
> which doesn't require PORT or PASV to operate, and doesn't close connections
> between files. This means that under such a scheme, a firewall's life is
> made easier - you open 21 inbound, and allow outbound connections from port
> 20 on the server. Document this in your draft, and people may start using
> that, just because it already works on many servers.

ok, this is now appendix B. if you have any text suggestions, let us know.

> 1. You need an example showing how an upload works, just to make that clear.


> "When uploading files, the client MUST use end-of-marker solution." You
> don't explain this anywhere, or use the term "end-of-marker" anywhere else
> in the draft.

thanks, fixed.

> 2. You need to answer at least the security questions of how a client is
> protected from a malicious server, and how a server is protected from a
> malicious client, as well as how the connection (client and server) is
> protected against a malicious file. Consider what happens if a file contains
> a number of predicted boundary values, and the server or client is not good
> at picking random numbers for those boundaries. Note, for instance, how SMTP
> does this in the DATA command - the DATA ends with a line containing only
> ".". Any line beginning with a "." in the data has to be prefixed by another
> ".". The receiver then simply strips out the first dot on each line. Don't
> give in to the idea that "random numbers can't be guessed", or that
> accidental occurrences or malicious action won't ever successfully reproduce
> the boundary condition. Make it IMPOSSIBLE.

it's not a secret "random" number that would be "guessed". it's
explicitly given by the sender.

> 3. At least three commands are documented to work while a transfer is in
> progress. STAT, which reports the status of the transfer, NOOP, which does
> nothing (but many clients use to keep the control connection open when a
> firewall might close it over a long data transfer), and ABOR, which stops an
> existing transfer. My suggestion would be that STAT will return a response
> after the data transfer has finished (after the response from the transfer
> completion); NOOP the same; ABOR will interrupt the transfer, the transfer's
> end response will be signaled as interrupted, and the ABOR command will send
> a 426 and 226.

Tim Kosse suggested:

The STAT command and Telnet IP and Synch signals are not allowed
during a running transfer.

any other suggestions?

> 4. Answering your question of "how to unlock" - the obvious way is to use a
> PORT or PASV (or similar) command to re-establish such behavior, or REIN if
> you want to go back to default port operation (and blow away your login,
> other settings, etc).

yes, thanks. added.

> 5. You should indicate in your examples whether the boundary and separator
> lines are sent by client or server, just to avoid confusion.


> Alun.
> ~~~~
>> -----Original Message-----
>> From: [] On Behalf
>> Of Anthony Bryan
>> Sent: Sunday, January 20, 2013 9:01 AM
>> To:
>> Subject: [ftpext] New Version of FTP HASH, RANG, LOCK, and HOST
>> we updated the FTP HASH, RANG, and LOCK drafts, while the authors of
>> HOST have updated their (hopefully final, get any comments or reviews in
>> ASAP) draft.
>> we are mostly interested in finishing up HASH & RANG, but also feel free
> to
>> comment on LOCK. fancy diffs are available. HASH, RANG, & LOCK changes
>> are all editorial or just updating the draft.
>> HASH FTP command to be used by clients to request cryptographic hashes of
>> files.
>> RANG command to be used by clients to designate a start and end point to
>> permit restarts and repairs of interrupted data transfers in STREAM mode.
>> LOCK command to be used by clients to request the server to use the
> control
>> connection for data transfers, using a single port instead of two.
>> also, HOST has been updated:
>> FTP command that provides a mechanism for FTP clients and servers to
>> identify individual virtual hosts on an FTP server.
>> (diffs)

(( Anthony Bryan ... Metalink [ ]
  )) Easier, More Reliable, Self Healing Downloads