Ftp login fails with “@“ in the password

[Leyline]

In the newest update ftp stopped working to a server I had saved in. I also deleted the server and re-saved it,
The password has an @ sign in it and the server shows failed login, invalid password and it has encoded the @ symbol in the password as %40.
The password itself should not be encoded this way


Example if the password was p@$$word it is doing p%40$$word and the server says invalid password

[InTheWings]

Reserved characters in URI thrown into vlc should be escaped.
How do you know server gets %40 ?

[Leyline]

In this case I know the server owner and he watched my attempt to log in, if that was it the case I could run my own FileZilla server, and watch the logs myself.
If the characters are sent via an authentication message, they should not be uri escaped.

Here is a log of an ftp client connecting to that server with the same password containing @. While VLC recently worked, now it does not.

Code: Select all

Rec: 220-FileZilla Server 0.9.53 beta Rec: 220-written by Tim Kosse (Tim.Kosse@gmx.de) Rec: 220 Please visit http://sourceforge.net/projects/filezilla/ Send: USER Rec: 331 Password required for Send: PASS ***** Rec: 230 Logged on Connected

[ssbmaccom]

I had a similar issue with one of my users.
My App does not use FTP but HTTP for streaming, and in this case, escaping the "@" character should solve the issue.

Problem is, that an "@" is interpreted as login prefix. Imagine user = "user" and password = "p@ss" results in user:p@ss@server... So only "p" is used as password while ss@server is used as server name. I haven't tried, but I guess also using ":" could cause troubles, at least in the user name

Composing the stream URL including username and password in the user:pass@server is maybe the easiest but not the most secure solution, as both is part of the URL of the request. Usually it is much better to add username and password to the request header - which works fine in my app for querying XML data.

With the stream URLs passed to VLC, this seems much more complicated. Room for improvement. In VLCKit I assume the only way would be to setup a Dialog Provider, that is returning the saved credentials on first call and presenting the login screen on later invocations.

Well, when a user runs into it, there is still a change to convince the user to change his password

[InTheWings]

There shouldn't be any problem if the uri is escaped.
The issue here is either no escape at all, or double escape bug.

[Leyline]

For extra clarity this is not about a stream uri or how the username password is presented in a url. This is about the Local Network, connect to server. FTP with username and password fields.
I had this connection saved and it used to work in a previous version. Recently when I try to connect it fails.
Since it is in the network connection area and not a stream uri this should be able to send the username and password (and it does) separately. Like I said watching the connection logs on the destination ftp it responds to user and pass , VLC just sends %40 where an @ symbol would be. This is a bug that this should not be encoded/escaped. No other ftp client has this problem responding to an ftp connection user / pass request.

[bubu?]

This issue has been fixed, should be shipped with the next update.

[Leyline]

Thanks for letting us know bubu, I am happy to hear it!

Just for historical purposes, as of iOS version 3.0.2 it is not fixed, I will try update this thread with a version number when the fix hits, in case people need to verify they are on the correct track.

[Leyline]

iOS 3.0.3, does not yet contain the fix.

[Leyline]

2018-08-22 This is still an issue in iOS verion 3.1.1 (309) All Along the Watchtower Based On: 3.0.4 Ventari

Does not contain the fix, or the fix does not work. Same exact Problem.