[Bug 1976341] Re: the .netrc man page neglects to disclose the format for the password string

Bill Yikes 1976341 at bugs.launchpad.net
Sun Jun 5 16:49:00 UTC 2022 

Also note that wget checks the syntax of the ~/.netrc file every time it
runs with default options, and it gives a warning when bash-style
quoting is used for FTP & Fetchmail.  Reported here:

https://savannah.gnu.org/bugs/index.php?62586

** Bug watch added: GNU Savannah Bug Tracker #62586
   http://savannah.gnu.org/bugs/?62586

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to netkit-ftp in Ubuntu.
https://bugs.launchpad.net/bugs/1976341

Title:
  the .netrc man page neglects to disclose the format for the password
  string

Status in netkit-ftp package in Ubuntu:
  New

Bug description:
  The FTP man page references the .netrc man page for the .netrc file
  format.  The .netrc man page simply states that the “password” token
  is followed by the actual password, but it does not specify the format
  of that string.

  The problem is that different applications have different expectations
  for how that password string is represented.  If an actual password
  contains both a single quote and a double quote, cURL expects the
  password to be entirely unquoted in .netrc (in fact, curl expects all
  passwords to be unquoted and even treats surrounding quotes as part of
  the password).  Whereas fetchmail references the FTP man page and from
  testing it’s clear that fetchmail expects bash-style quoting.  So take
  this password for example:

     foo'123"bar

  cURL expects .netrc to have → machine … username … password
  foo'123"bar

  fetchmail expects .netrc to have → machine … username … password
  foo"'"123'"'bar

  Consequently curl and fetchmail cannot both make use of the same
  .netrc record.  And there is no basis for reporting a bug against curl
  or fetchmail because the format is not documented.  It’s interesting
  to note that IBM is apparently the only organization to even attempt
  to produce a spec for the password string:

  https://www.ibm.com/docs/en/zos/2.3.0?topic=ftp-netrc-data-set

  but also note that IBM’s spec is broken, because it gives no
  instruction for the situation where a password contains both a single
  and double quote.  Perhaps the IBM docs can be used as a precursor to
  deriving a properly documented password string for the .netrc file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/netkit-ftp/+bug/1976341/+subscriptions

More information about the foundations-bugs mailing list