FTP URLs
An FTP URL designates a file or a a directory on an Internet host accessible using the FTP protocol, (The sample URL above refers to a copy of the FTP protocol specification, RFC 959, in one repository of RFCs. Note that this specification has partly been updated by later RFCs.)
Such URLs are often used in Web documents in order to refer to a resource which is downloadable from a public FTP server (as in the example above). Less importantly, they can also be used to refer to a resource on a non-public area, so that a password is required.
The syntax of FTP URLs
According to the specification of URL formats, RFC 1738, an FTP URL is of the form
ftp:// user : password @ host : port / path
so that some or all of the parts user : password @ , : password , : port and / path may be excluded. Although RFC 1738 has been obsoleted as regards to generic URL syntax (now defined in RFC�3986), some of the specific parts, like FTP URL syntax, are still in force.
The components obey the following rules: user a user name (user id) on the host password the password corresponding to the user name; note: if the user and password field in a URL contains character : or @ or / , the character must be encoded host the fully qualified domain name of a network host, or its IP address port the port number to connect to; it omitted, defaults to 21 path path specification of the form
cwd1 / cwd2 / . / cwdN / name
(where any occurrence of / or ; within a cwdi or the name must be encoded) optionally followed by
;type= typecode
where typecode is one of the characters a , i , d
Effectively, ;type=a means «Ascii mode» (plain text mode) of transfer whereas ;type=i means image (binary) mode. If the ;type= typecode part of an FTP URL is omitted, the client program interpreting the URL must guess the appropriate mode to use. In general, the data content type of a file can only be guessed from the name, e.g., from the suffix of the name; the appropriate type code to be used for transfer of the file can then be deduced from the data content of the file.
User id and password
- the user name anonymous is supplied
- the Internet e-mail address of the end user is supplied as the password.
However, browsers often fail to conform to these requirements. Send email address as anonymous FTP password off by default.—> Generally, they cannot have access to the user’s correct E-mail address. In practice, browsers may send addresses with invented user name parts like mozilla or IE30user . Such «addresses» are syntactically legal in the sense of passing some tests made by an FTP server (such as checking that there is an @ somewhere) but, being fancy nonexistent addresses, fail to serve the purpose for which FTP servers like to get E-mail addresses. (Such purposes may include statistics collection or informing users about errors detected in files which they have fetched.) In some cases, the address passed is a valid address but the address of a proxy or gateway, not the address of the user.
If the URL supplies user but no password and the FTP server requests a password, the program interpreting the FTP URL (usually, a Web browser) should request a password from the user. Typically this takes place in a dialog box in which the password will not be visible as you type it (i.e., no echoing). However, some browsers (e.g., old versions of IE) do not request password from the user; instead, the connection fails.
There is no way in the FTP URL syntax to ask the user agent to prompt for a user name. Either you provide a fixed user name (with or without a password) in the URL or no user name, in which the user name anonymous is used. (Toby Speight has suggested the following way of circumventing this restriction: Instead of providing directly a link with an FTP URL, present an HTML form which asks for the username; make the script which processes the form send a 301 (temporarily moved) response, substituting the received username into the URL in the Location header. Cf. to Get RFC by number — a demonstration of combined client and server side scripting .)
However, IE 7 (where processing of FTP URLs is rather peculiar in many ways), ignores the user and password parts if present. It initiates a dialogue where the user is prompted for them. Any user : password data seems to trigger this; the data is otherwise discarded but taken as a request to use non-anonymous FTP. This can be treated as added security, since passing passwords in URLs is risky, as URL specifications have always said.
Path resolution
- Each of the cwdi ( i = 1, . N ) elements is supplied, sequentially, as the argument to a CWD (change working directory) FTP command. (Some Web browsers do a single combined CWD instead. It is unclear whether this deviation has practical implications.)
- If typecode is d , a NLST (name list) FTP command is performed with name as argument, and the result is interpreted as a file directory listing. (On a typical Web browser, the listing is presented so that entries act as links to files or subdirectories, allowing the user to navigate in a directory tree.) Otherwise, a TYPE FTP command is performed with typecode as the argument, and then the file whose name is name is accessed (for example, using the RETR (retrieve) FTP command).
Browsers often seem to violate this: they effectively start from the root of the file system of the FTP host. (I first observed this in IE 4.0 under Win95 and Lynx 2.7.1 under Unix.) Thus, in order to access file .plan in user jkorpela ‘s home directory on alfa.hut.fi , a correct URL would be ftp://jkorpela@alfa.hut.fi/.plan but this does not work on IE which requires something like ftp://jkorpela@alfa.hut.fi/m/fs/lai/lai/LK/lk/jkorpela/.plan (which does not work on other browsers). Moreover, as mentioned above, some versions of IE are unable to prompt for password, so even that URL might not work unless you put the password there.
Practical remarks
If you refer to resources which require a password (in the genuine sense), you would have to include the password into the URL or accept the fact that (due to IE bugs mentioned above) a large portion of users will be unable to access the resource even if they know the password.
Moreover, when to tell the password for a user name to some people (or perhaps even to the public), you are effectively giving them full access (read and write) to all files under the user name. If the host accepts remote logins, which is pretty common, they can also login under that user name.
Even if the URL is not in an HTML file (e.g. you type the URL directly as input to a Web browser), including a password is a security risk. On most browsers, it will be visible as you type it, and it will be retained by your history file. Thanks to Mosh «LoneWolf» Teitelbaum, who has given a lot of comments on and information for this document.
Jukka Korpela.
Created: 1997-09-18. Last update: 2008-04-03.
Web Design in a Nutshell, 3rd Edition by Jennifer Robbins
Get full access to Web Design in a Nutshell, 3rd Edition and 60K+ other titles, with a free 10-day trial of O’Reilly.
There are also live events, courses curated by job role, and more.
FTP Link (ftp://)
You can link directly to a file on an FTP server. When the user clicks on the link, the file downloads automatically using the browser’s built-in FTP functions and is saved on the user’s machine. If the document is on an anonymous FTP server (no account name and password are required), the FTP link is simple:
To link to an FTP server that requires the user to log in, the format is:
For security purposes, it is highly recommended that you never include both the username and password to a server within an HTML document. If you use the syntax user@server/path , the users will be prompted to enter their passwords in a dialog box.
By default, the requested file is transferred in binary format. To specify that the document should be transferred as an ASCII file, add ;type=a to the end of the URL:
The variable type=d identifies the pathname as a directory and simply displays its contents in the browser window. The variable type=i specifies image or binary mode, which is the default but may also be given explicitly.
Here are some examples of FTP links:
Get Web Design in a Nutshell, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.