the .netrc man page neglects to disclose the format for the password string
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| netkit-ftp (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
The FTP man page references the .netrc man page for the .netrc file format. The .netrc man page simply states that the “password” token is followed by the actual password, but it does not specify the format of that string.
The problem is that different applications have different expectations for how that password string is represented. If an actual password contains both a single quote and a double quote, cURL expects the password to be entirely unquoted in .netrc (in fact, curl expects all passwords to be unquoted and even treats surrounding quotes as part of the password). Whereas fetchmail references the FTP man page and from testing it’s clear that fetchmail expects bash-style quoting. So take this password for example:
foo'123"bar
cURL expects .netrc to have → machine … username … password foo'123"bar
fetchmail expects .netrc to have → machine … username … password foo"'"123'"'bar
Consequently curl and fetchmail cannot both make use of the same .netrc record. And there is no basis for reporting a bug against curl or fetchmail because the format is not documented. It’s interesting to note that IBM is apparently the only organization to even attempt to produce a spec for the password string:
https:/
but also note that IBM’s spec is broken, because it gives no instruction for the situation where a password contains both a single and double quote. Perhaps the IBM docs can be used as a precursor to deriving a properly documented password string for the .netrc file.
| Bill Yikes (yik3s) wrote | #1 |
Also note that wget checks the syntax of the ~/.netrc file every time it runs with default options, and it gives a warning when bash-style quoting is used for FTP & Fetchmail. Reported here:
https:/