From edwin@mavetju.org Tue Nov 22 02:40:50 2005 Return-Path: Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71C1016A420 for ; Tue, 22 Nov 2005 02:40:50 +0000 (GMT) (envelope-from edwin@mavetju.org) Received: from mail3out.barnet.com.au (mail3out.barnet.com.au [202.83.176.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 378E343D49 for ; Tue, 22 Nov 2005 02:40:19 +0000 (GMT) (envelope-from edwin@mavetju.org) Received: by mail3out.barnet.com.au (Postfix, from userid 27) id D677E877CAD; Tue, 22 Nov 2005 13:40:16 +1100 (EST) Received: from mail3-auth.barnet.com.au (mail3.barnet.com.au [202.83.176.16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.barnet.com.au", Issuer "BarNet Root Certificate Authority" (verified OK)) by mail3.barnet.com.au (Postfix) with ESMTP id B26DC877CA9 for ; Tue, 22 Nov 2005 13:40:16 +1100 (EST) Received: from k7.mavetju (edwin-3.int.barnet.com.au [10.10.12.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "edwin.adsl.barnet.com.au", Issuer "BarNet Root Certificate Authority" (not verified)) by mail3-auth.barnet.com.au (Postfix) with ESMTP id 377FB877CA4 for ; Tue, 22 Nov 2005 13:40:16 +1100 (EST) Received: by k7.mavetju (Postfix, from userid 1001) id 0759463A6; Tue, 22 Nov 2005 13:40:15 +1100 (EST) Message-Id: <20051122024015.0759463A6@k7.mavetju> Date: Tue, 22 Nov 2005 13:40:15 +1100 (EST) From: Edwin Groothuis Reply-To: Edwin Groothuis To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: fetch(1) doesn't honour authentication credentials when going through a proxy X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 89403 >Category: bin >Synopsis: fetch(1) doesn't honour authentication credentials when going through a proxy >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Nov 22 02:50:23 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Edwin Groothuis >Release: FreeBSD 5.4-RELEASE i386 >Organization: - >Environment: System: FreeBSD tinderbox.barnet.com.au 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun May 8 10:21:06 UTC 2005 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: When trying this URL on a machine without HTTP_PROXY defined: $ fetch ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo fetch: ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo: File unavailable (e.g., file not found, no access) But when running it on a machine with HTTP_PROXY defined: $ fetch ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo fetch: ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo: Unauthorized Network trace gives this: T 10.192.1.5:61229 -> 202.83.176.9:8080 [AP] GET ftp://3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo HTTP/1.1.. ## T 10.192.1.5:61229 -> 202.83.176.9:8080 [AP] Host: 3dgamers.mirror.internode.on.net..Authorization: Basic M2RncjM1Zzptcj IzZzIzOWE=..User-Agent: fetch libfetch/2.0..Connection: close.... And towards the FTP server: T 203.16.214.173:21 -> 202.83.176.9:1982 [AP] 220 203.16.214.173 FTP server ready.. # T 202.83.176.9:1982 -> 203.16.214.173:21 [AP] USER anonymous.. ## T 203.16.214.173:21 -> 202.83.176.9:1982 [AP] 331 Password required for anonymous... # T 202.83.176.9:1982 -> 203.16.214.173:21 [AP] PASS Squid@.. When telnetting to the proxy and entering this command: GET ftp://3dgr35g:mr23g239a@3dgamers.mirror.internode.on.net/3dgamers/games/quake4/foo HTTP/1.1 I see this on the line: 220 203.16.214.173 FTP server ready.. # T 202.83.176.9:3880 -> 203.16.214.173:21 [AP] USER 3dgr35g.. ## T 203.16.214.173:21 -> 202.83.176.9:3880 [AP] 331 Password required for 3dgr35g... # T 202.83.176.9:3880 -> 203.16.214.173:21 [AP] PASS mr23g239a.. # T 203.16.214.173:21 -> 202.83.176.9:3880 [AP] 230 Anonymous access granted, restrictions apply... which is exactly what I expected in the first place. >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: