libcurl FTP(S) protocol will reuse connection even if different CURLOPT_FTP_ACCOUNT
(libcurl) or --ftp-account
(curl) is specified for different connections and the server requests account authentication via reply code 332
. It appears that STRING_FTP_ALTERNATIVE_TO_USER
(libcurl) or --ftp-alternative-to-user
(curl) is also affected and should also result in caching being refused.
echo -e "foo\n" | nc -v -l -p 9998; echo -e "bar\n" | nc -v -l -p 9998
echo -ne "220 a\n331 b\n332 c\n230 d\n257 \"/\"\n229 (|||9998|)\n200 e\n213 4\n150 f\n226 g\n229 (|||9998|)\n213 4\n150 f\n226 g\n" | nc -v -l -p 9999
curl -v --ftp-account alice "ftp://ftp@server:9999/file1" -: --ftp-account bob "ftp://ftp@server:9999/file2"
As a result connection authenticated as user alice
will be used when fetching file2
regardless that user bob
was specified for fetching it.
CURLOPT_FTP_ACCOUNT
or STRING_FTP_ALTERNATIVE_TO_USER
are different.Accessing content with wrong cached credentials.