CSID "Forbidden command argument" against ProFTPD Server

Advertisement

mwilson
Joined:
Posts:
3

CSID "Forbidden command argument" against ProFTPD Server

Issue in version: WinSCP Version 6.1.2 (Build 13797 2023-09-19)
Previous working version: WinSCP Version 5.13.7 (Build 9125)

We are using WinSCP as a library for FTP and SFTP connections to external vendors. After upgrading to version 6.1.2, one of our vendor connections using FTP started failing with "Forbidden command argument." We traced this to an unexpected disconnect after sending a CSID command as part of the initial connection handshake. The previous version we were using, 5.13.7, does not appear to support the CSID command and so did not send it.

Working with the vendor, they reported back to us the command was malformed and sent a link to the IETF spec: https://datatracker.ietf.org/doc/html/draft-peterson-streamlined-ftp-command-extensions-10#section-6

This says in part: "The semicolon following the argument value is required even after the last argument specified."

The CSID command does seem to be formatted without a semicolon following the last argument:
https://github.com/winscp/winscp/blob/master/source/core/FtpFileSystem.cpp#L1842

Maybe ProFTPD is more strict than other FTP servers by default or this vendor has set it to be, but asking them to change their rules will be extremely difficult. Can you advise on a workaround?

Thank you!

Client side session logs:
. 2023-10-25 10:51:37.436 --------------------------------------------------------------------------
. 2023-10-25 10:51:37.436 WinSCP Version 6.1.2 (Build 13797 2023-09-19) (OS 10.0.19044 – Windows 10 Enterprise)
. 2023-10-25 10:51:37.437 Configuration: C:\Temp\WinSCP\6.1.2\WinSCP.ini
. 2023-10-25 10:51:37.437 Log level: Debug 2, Logging passwords
. 2023-10-25 10:51:37.437 Local account: user_account
. 2023-10-25 10:51:37.437 Working directory: C:\Temp\WinSCP\6.1.2
. 2023-10-25 10:51:37.437 Process ID: 27196
. 2023-10-25 10:51:37.459 Ancestor processes: explorer, ...
. 2023-10-25 10:51:37.460 Command-line: "C:\Temp\WinSCP\6.1.2\WinSCP.exe" 
. 2023-10-25 10:51:37.460 Time zone: Current: GMT-5, Standard: GMT-6 (Central Standard Time), DST: GMT-5 (Central Daylight Time), DST Start: 3/12/2023, DST End: 11/5/2023
. 2023-10-25 10:51:37.460 Login time: Wednesday, October 25, 2023 10:51:37 AM
. 2023-10-25 10:51:37.460 --------------------------------------------------------------------------
. 2023-10-25 10:51:37.460 Session name: 0126@XX.XX.XX.XX (Ad-Hoc site)
. 2023-10-25 10:51:37.460 Host name: XX.XX.XX.XX (Port: 21)
. 2023-10-25 10:51:37.460 User name: 0126 (Password: XXXXXXXX, Key file: No, Passphrase: No)
. 2023-10-25 10:51:37.460 Transfer Protocol: FTP
. 2023-10-25 10:51:37.460 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2023-10-25 10:51:37.460 Disable Nagle: No
. 2023-10-25 10:51:37.460 Proxy: None
. 2023-10-25 10:51:37.460 Send buffer: 262144
. 2023-10-25 10:51:37.460 UTF: Auto
. 2023-10-25 10:51:37.460 FTPS: None [Client certificate: No]
. 2023-10-25 10:51:37.460 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2023-10-25 10:51:37.460 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2023-10-25 10:51:37.460 Cache directory changes: Yes, Permanent: Yes
. 2023-10-25 10:51:37.460 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2023-10-25 10:51:37.460 Timezone offset: 0h 0m
. 2023-10-25 10:51:37.460 --------------------------------------------------------------------------
. 2023-10-25 10:51:37.528 Connecting to 0126@XX.XX.XX.XX ...
. 2023-10-25 10:51:37.528 Connection pending
. 2023-10-25 10:51:37.528 Connected with XX.XX.XX.XX. Waiting for welcome message...
. 2023-10-25 10:51:37.528 Read 391 bytes
< 2023-10-25 10:51:37.528 220-Tous les accès au système sont vérifiés et enregistrés.
< 2023-10-25 10:51:37.528  L'utilisation de ce service et répertoire est réservée à l'utilisation de nos clients.
< 2023-10-25 10:51:37.528  Toute utilisation du service et répertoire par une autre compagnie/personne est prohibée.
< 2023-10-25 10:51:37.528  
< 2023-10-25 10:51:37.528  All access to the system are monitored and recorded.
< 2023-10-25 10:51:37.528  The use of this service and directory is reserved for the use of our clients.
. 2023-10-25 10:51:37.528 Read 119 bytes
< 2023-10-25 10:51:37.528  Any use of this service by another company/person is prohibited.
< 2023-10-25 10:51:37.528 220 ProFTPD Server (XXXXX FTP Server) [XX.XX.XX.XX]
> 2023-10-25 10:51:37.528 USER 0126
. 2023-10-25 10:51:37.528 Read 32 bytes
< 2023-10-25 10:51:37.528 331 Password required for 0126
> 2023-10-25 10:51:37.528 PASS XXXXXXXX
. 2023-10-25 10:51:37.528 Read 66 bytes
< 2023-10-25 10:51:37.528 230-User '0126' allowed by access rules
< 2023-10-25 10:51:37.528 230 User 0126 logged in
> 2023-10-25 10:51:37.528 SYST
. 2023-10-25 10:51:37.528 Read 19 bytes
< 2023-10-25 10:51:37.528 215 UNIX Type: L8
> 2023-10-25 10:51:37.528 FEAT
. 2023-10-25 10:51:37.528 Read 259 bytes
< 2023-10-25 10:51:37.528 211-Features:
< 2023-10-25 10:51:37.528  CLNT
< 2023-10-25 10:51:37.528  CSID
< 2023-10-25 10:51:37.528  EPRT
< 2023-10-25 10:51:37.528  EPSV
< 2023-10-25 10:51:37.528  HOST
< 2023-10-25 10:51:37.528  MDTM
< 2023-10-25 10:51:37.528  MFF modify;UNIX.group;UNIX.mode;
< 2023-10-25 10:51:37.528  MFMT
< 2023-10-25 10:51:37.528  MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.groupname*;UNIX.mode*;UNIX.owner*;UNIX.ownername*;
< 2023-10-25 10:51:37.528  RANG STREAM
< 2023-10-25 10:51:37.528  REST STREAM
< 2023-10-25 10:51:37.528  SIZE
< 2023-10-25 10:51:37.528  TVFS
< 2023-10-25 10:51:37.528 211 End
> 2023-10-25 10:51:37.528 CLNT WinSCP-release-6.1.2
. 2023-10-25 10:51:37.528 Read 8 bytes
< 2023-10-25 10:51:37.528 200 OK
> 2023-10-25 10:51:37.528 OPTS UTF8 ON
. 2023-10-25 10:51:37.528 Read 30 bytes
< 2023-10-25 10:51:37.528 500 OPTS UTF8 not understood
. 2023-10-25 10:51:37.561 Connected
. 2023-10-25 10:51:37.561 Got reply 1 to the command 1
. 2023-10-25 10:51:37.561 --------------------------------------------------------------------------
. 2023-10-25 10:51:37.561 Using FTP protocol.
. 2023-10-25 10:51:37.561 Doing startup conversation with host.
> 2023-10-25 10:51:37.578 CSID Name=WinSCP;Version=6.1.2
. 2023-10-25 10:51:37.578 Read 59 bytes
< 2023-10-25 10:51:37.579 550 Name=WinSCP;Version=6.1.2: Forbidden command argument
. 2023-10-25 10:51:37.579 Got reply 4 to the command 16
. 2023-10-25 10:51:37.579 Getting current directory name.
> 2023-10-25 10:51:37.579 PWD
. 2023-10-25 10:51:37.579 Read 34 bytes
< 2023-10-25 10:51:37.579 257 "/" is the current directory
. 2023-10-25 10:51:37.579 Got reply 1 to the command 16
. 2023-10-25 10:51:37.634 Retrieving directory listing...
> 2023-10-25 10:51:37.634 TYPE A
. 2023-10-25 10:51:37.634 Read 19 bytes
< 2023-10-25 10:51:37.634 200 Type set to A
> 2023-10-25 10:51:37.635 PASV
. 2023-10-25 10:51:37.635 Read 52 bytes
< 2023-10-25 10:51:37.635 227 Entering Passive Mode (198,235,27,150,239,22).
> 2023-10-25 10:51:37.635 MLSD
. 2023-10-25 10:51:37.636 Connecting to XX.XX.XX.XX:61206 ...
. 2023-10-25 10:51:37.636 Connection pending
. 2023-10-25 10:51:37.636 Data connection opened
. 2023-10-25 10:51:37.636 Read 49 bytes
< 2023-10-25 10:51:37.636 150 Opening ASCII mode data connection for MLSD
(File listing)
. 2023-10-25 10:51:37.674 Data connection closed
. 2023-10-25 10:51:37.674 Data connection closed
. 2023-10-25 10:51:37.674 Read 23 bytes
< 2023-10-25 10:51:37.674 226 Transfer complete
. 2023-10-25 10:51:37.675 Directory listing successful
. 2023-10-25 10:51:37.675 Got reply 1 to the command 2
. 2023-10-25 10:51:37.710 Session upkeep
. 2023-10-25 10:51:37.737 Attempt to close connection due to fatal exception:
* 2023-10-25 10:51:37.737 (ExtException) **Name=WinSCP;Version=6.1.2: Forbidden command argument**
. 2023-10-25 10:51:37.738 Connection closed
. 2023-10-25 10:51:37.738 Got reply 1004 to the command 2
* 2023-10-25 10:51:37.742 (EFatal) **Name=WinSCP;Version=6.1.2: Forbidden command argument**
. 2023-10-25 10:51:40.298 Disconnected from server
. 2023-10-25 10:51:40.298 Connection closed
. 2023-10-25 10:56:17.156 --------------------------------------------------------------------------
. 2023-10-25 10:56:17.157 WinSCP Version 6.1.2 (Build 13797 2023-09-19) (OS 10.0.19044 – Windows 10 Enterprise)
. 2023-10-25 10:56:17.157 Configuration: C:\Temp\WinSCP\6.1.2\WinSCP.ini
. 2023-10-25 10:56:17.157 Log level: Debug 2, Logging passwords
. 2023-10-25 10:56:17.157 Local account: user_account
. 2023-10-25 10:56:17.157 Working directory: C:\Temp\WinSCP\6.1.2
. 2023-10-25 10:56:17.157 Process ID: 27196
. 2023-10-25 10:56:17.157 Ancestor processes: explorer, ...
. 2023-10-25 10:56:17.157 Command-line: "C:\Temp\WinSCP\6.1.2\WinSCP.exe" 
. 2023-10-25 10:56:17.157 Time zone: Current: GMT-5, Standard: GMT-6 (Central Standard Time), DST: GMT-5 (Central Daylight Time), DST Start: 3/12/2023, DST End: 11/5/2023
. 2023-10-25 10:56:17.158 Login time: Wednesday, October 25, 2023 10:56:17 AM
. 2023-10-25 10:56:17.158 --------------------------------------------------------------------------
. 2023-10-25 10:56:17.158 Session name: 0126@XX.XX.XX.XX (Ad-Hoc site)
. 2023-10-25 10:56:17.158 Host name: XX.XX.XX.XX (Port: 990)
. 2023-10-25 10:56:17.158 User name: 0126 (Password: XXXXXXXX, Key file: No, Passphrase: No)
. 2023-10-25 10:56:17.158 Transfer Protocol: FTP
. 2023-10-25 10:56:17.158 Ping type: Dummy, Ping interval: 30 sec; Timeout: 15 sec
. 2023-10-25 10:56:17.158 Disable Nagle: No
. 2023-10-25 10:56:17.158 Proxy: None
. 2023-10-25 10:56:17.158 Send buffer: 262144
. 2023-10-25 10:56:17.158 UTF: Auto
. 2023-10-25 10:56:17.158 FTPS: Implicit TLS/SSL [Client certificate: No]
. 2023-10-25 10:56:17.158 FTP: Passive: Yes [Force IP: Auto]; MLSD: Auto [List all: Auto]; HOST: Auto
. 2023-10-25 10:56:17.158 Session reuse: Yes
. 2023-10-25 10:56:17.158 TLS/SSL versions: TLSv1.0-TLSv1.3
. 2023-10-25 10:56:17.158 Local directory: default, Remote directory: home, Update: Yes, Cache: Yes
. 2023-10-25 10:56:17.158 Cache directory changes: Yes, Permanent: Yes
. 2023-10-25 10:56:17.158 Recycle bin: Delete to: No, Overwritten to: No, Bin path: 
. 2023-10-25 10:56:17.158 Timezone offset: 0h 0m
. 2023-10-25 10:56:17.158 --------------------------------------------------------------------------
. 2023-10-25 10:56:17.217 Connecting to XX.XX.XX.XX:990 ...
. 2023-10-25 10:56:17.217 Connected
. 2023-10-25 10:56:17.217 TLS layer changed state from unconnected to connecting
. 2023-10-25 10:56:32.155 Timeout detected. (control connection)
. 2023-10-25 10:56:32.155 Connection closed
. 2023-10-25 10:56:32.155 Connection failed.
. 2023-10-25 10:56:32.155 Got reply 1004 to the command 1
. 2023-10-25 10:56:32.156 Connection closed

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,852
Location:
Prague, Czechia

Re: CSID "Forbidden command argument" against ProFTPD Server

Thanks for your verbose report.

You are indeed right that WinSCP's CSID command does not conform to the specification.
I'm going to fix that:
Issue 2252 – FTP CSID command does not end with semicolon

But, checking the ProFTPD code, I do not think this is the problem. ProFTPD does not mind about the missing semicolon. And it mainly gracefully ignores any problems with the CSID command syntax.

The only situation in which ProFTPD returns "Forbidden command argument" is when the command argument is explicitly configured as invalid by AllowFilter or DenyFilter directives.
http://www.proftpd.org/docs/howto/Filters.html
You should talk about it with the vendor. Though it's also partly a problem on WinSCP side, as it should not close the connection, when it receives an error response to CSID. I'll look into that too.

In any case, you should be able to work it around by configuring WinSCP not to use CSID.
Use ProtocolFeatures=-CSID:
https://winscp.net/eng/docs/rawsettings#protocolfeatures

Reply with quote

mwilson
Joined:
Posts:
3

First, thank you for the quick response and extremely helpful workaround! I was able to run a successful test via the WinSCP UI using the raw setting that disables CSID against the vendor site. I then incorporated that setting into our software and successfully connected and downloaded from the vendor site.

I will look at trying our the 6.2.3 dev build you provided and report back a little later today.

All your help was very much appreciated!
Matt

Reply with quote

mwilson
Joined:
Posts:
3

Re: CSID "Forbidden command argument" against ProFTPD Server

I've tested the 6.2.3 dev bits and everything appears to work as expected:
  1. Semicolon inserted
  2. Error ignored
Snippet from the log:
. 2024-01-18 12:18:06.642 --------------------------------------------------------------------------
. 2024-01-18 12:18:06.642 Using FTP protocol.
. 2024-01-18 12:18:06.643 Doing startup conversation with host.
> 2024-01-18 12:18:06.656 CSID Name=WinSCP;Version=6.2.3;
. 2024-01-18 12:18:06.669 Read 60 bytes
< 2024-01-18 12:18:06.669 550 Name=WinSCP;Version=6.2.3;: Forbidden command argument
. 2024-01-18 12:18:06.669 Got reply 4 to the command 16
. 2024-01-18 12:18:06.669 CSID command failed
> 2024-01-18 12:18:06.669 PWD
. 2024-01-18 12:18:06.675 Read 34 bytes
< 2024-01-18 12:18:06.675 257 "/" is the current directory

We'll plan to use the 6.1.2 version until 6.2.3 is officially released and packaged on Nuget.org. Until then, the workaround with disabling the CSID protocol is just fine for our purposes.

Thanks again for all your help!

Reply with quote

Advertisement

martin
Site Admin
martin avatar

Re: CSID "Forbidden command argument" against ProFTPD Server

Thanks for your feedback.
WinSCP 6.2.3 RC has been released already.

Reply with quote

Advertisement

You can post new topics in this forum