Hi
I don't think that you are making a mistake, but instead have found a loop hole.
Originally this was tested mainly with IE6.0 but for the last year or more more use is made of DOS due to the problems with newer IE versions (IE6.0 was very handy with its FTP drag-and-drop functionality...).
The problem is that the checking routine is letting zero length inputs through (which IE never sends).
To improve this you can make the following change:
- In fnCheckPass() in webutils.c
- just before the following check
if ((ucCnt < 8 ) && (*ucNewInput != '&')) { // if we quit because the end of the reference has been found, we check that also the new input has exactly the same length
return 1; // bad password!!
}
add a further check
if (ucCnt == 0) {
return 1; // empty input entered so refuse
}
This will stop access with anything other than correctly matching user name and password.
There is however a small difficulty with DOS FTP. When the password is refused it used to cause the other clients to close the connection but this is not the case with DOS FTP; it doesn't close the connection automatically so it is necessary to wait for a timeout when it happens. This may be a bit annoying if it is due to a mistake so I have quickly tested the following too:
1) In ftp.c set ucFTP_state = FTP_STATE_PREPARE_CLOSE; instead of ucFTP_state = FTP_STATE_CONNECTED; when the log in fails (just after the line if (cPasswordAccess != 0) { )
2). In fnFTPLister() add the following code to the TCP_EVENT_ACK case:
case TCP_EVENT_ACK:
ucLastControl = MSG_DO_NOTHING;
if (ucFTP_action != DO_LIST) {
#if defined FTP_USER_LOGIN
if (FTP_STATE_PREPARE_CLOSE == ucFTP_state) {
fnTCP_close(Socket);
ucFTP_state = FTP_STATE_CONNECTED;
return APP_REQUEST_CLOSE;
}
#endif
fnSendFTP(fnGetQueue()); // if there are queued command, send next one
}
break;
This doesn't actually close the DOS connection since DOS FTP will not complete the close, but it does make it graceful since DOS FTP then gives up when the user tries entering anything else. Give it a try and see whether it then makes for a practical solution for your requirements.
Regards
Mark