php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #37799 ftp_ssl_connect falls back to ftp_connect silently
Submitted: 2006-06-14 03:00 UTC Modified: 2007-02-20 17:46 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: antispam at brokenhill dot net Assigned:
Status: Closed Package: FTP related
PHP Version: 5,HEAD OS: Mac OS X
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: antispam at brokenhill dot net
New email:
PHP Version: OS:

 

 [2006-06-14 03:00 UTC] antispam at brokenhill dot net
Description:
------------
One thing that seems clear from my experience, but which is not documented, is that ftp_ssl_connect silently falls back to ftp_connect if ftps is not available. 

Test case: make a ftps connection to a server which does not support ftps. You will still get a connection and be able to use all ftp_ functions. The connection will simply fall back to ftp_connect. 

This should be documented as it could lead to a false sense of security.

Reproduce code:
---------------
	public function connect($host, $user, $pass, $type=self::FTP) {
		$this->_host = $host;
		$this->_user = $user;
		$this->_pw = $pass;
		$this->_type = $type;	
		if ($this->_type==self::FTPS) $this->_conn = ftp_ssl_connect($this->_host);
		else $this->_conn = ftp_connect($this->_host);
		$loginResult = ftp_login($this->_conn, $this->_user, $this->_pw);
		if (!$this->_conn) {
			cx_log("Could not connect to FTP server", __FUNCTION__, __FILE__, CX_ERR_CRITICAL);
			return FALSE;
		} else if (!$loginResult) {
			cx_log("Could not login to FTP server", __FUNCTION__, __FILE__, CX_ERR_CRITICAL);
			return FALSE;
		} else {
			return TRUE;
		}
	}


Expected result:
----------------
I would expect to have a ftps connection made, or an error stating that ftps is not available. 



Actual result:
--------------
Instead it silently gives me an ftp_connect (non SSL) connection, which leads to a false sense of security.

Found this out by running tcpdump and seeing that nothing was encrypted.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-13 18:33 UTC] nlopess@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

I'll also add a note to the manual in a minute.
 [2007-02-20 17:46 UTC] antispam at brokenhill dot net
Thanks for all your work on the documentation.

--Kristofer Widholm
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Nov 01 20:01:29 2024 UTC