develooper Front page | perl.libwww | Postings from December 2001

Re: URI::ftp ftp anonymous password

Thread Next
From:
Gisle Aas
Date:
December 6, 2001 09:40
Subject:
Re: URI::ftp ftp anonymous password
Message ID:
lrsnaockn4.fsf@caliper.ActiveState.com
Cc:-ed to the libwww mailing list.  Does anybody else think this is a
good idea?

eperez@dei.inf.uc3m.es writes:

> I've seen that URI::ftp sends the user name when doing ANONYMOUS ftp gets.
> I see a lot of problems:
> - Sending the user name if the user doesn't know that it's sent doesn't
>   protect the user state of ANONYMOUS
> - Spyware is not a good idea, most users don't like it.
> - Sending the user name helps SPAM instead of stopping it. Many ftp sites
>   use this information to send you unsolicited email.
> - Sending the user name doesn't help ftp sites to know who the cracker is
>   crackers are not stupid to send their email address.
> - Sending the user name can be used to discriminate the user.
> 
> By all of these reasons I argue that URI::ftp to don't send the user email
> by default.

Minor correction: URI::ftp does not send anything.  It just suggest a
password for anybody that might ask.  LWP::Protocol::ftp asks and will
use this password to log in.

> Some time ago two very important ftp clients wget and lftp stopped
> sending the user name as password based on my input.
> 
> As more and more ftp clients are moving to this anonymous@ password
> (for example the kde kio ftp, qt3, gnome-xml, Net::FTP)
> I recommend you to apply the patch.
> 
> I send you the bugfix.
> 
> Hopping that you see all of these problems I wait for your comments.
> 
>                 Eduardo PĂ©rez Ureta
> 
> --- URI/ftp.pm	Fri Sep 11 09:54:04 1998
> +++ URI/ftp.pm	Sat Dec  1 11:29:52 2001
> @@ -5,7 +5,6 @@
>  @ISA=qw(URI::_server URI::_userpass);
>  
>  use strict;
> -use vars qw($whoami $fqdn);
>  use URI::Escape qw(uri_unescape);
>  
>  sub default_port { 21 }
> @@ -31,25 +30,14 @@
>  	my $user = $self->user;
>  	if ($user eq 'anonymous' || $user eq 'ftp') {
>  	    # anonymous ftp login password
> -	    unless (defined $fqdn) {
> -		eval {
> -		    require Net::Domain;
> -		    $fqdn = Net::Domain::hostfqdn();
> -		};
> -		if ($@) {
> -		    $fqdn = '';
> -		}
> -	    }
> -	    unless (defined $whoami) {
> -		$whoami = $ENV{USER} || $ENV{LOGNAME} || $ENV{USERNAME};
> -		unless ($whoami) {
> -		    if ($^O eq 'MSWin32') { $whoami = Win32::LoginName() }
> -		    else {
> -		        $whoami = getlogin || getpwuid($<) || 'unknown';
> -		    }
> -		}
> -	    }
> -	    $pass = "$whoami\@$fqdn";
> +            # If there is no ftp anonymous password specified
> +            # then we'll just use -anonymous@
> +            # We don't send any other thing because:
> +            # - We want to remain anonymous
> +            # - We want to stop SPAM
> +            # - We don't want to let ftp sites to discriminate by the user,
> +            #   host, country or ftp client being used.
> +	    $pass = '-anonymous@';

What does the leading '-' achieve?

>  	}
>      }
>      $pass;

Regards,
Gisle

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About