Fixed bug that let clients log into the anonymous user without providing a username

FlorianReimold · web-flow · commit e793a9c12133 · 2026-03-26T09:10:23.000+01:00
Before, the server accepted an empty username as anonymous username, even though it reported an error.
Now, the server still reports an error, but also rejects the login. Clients have to use "anonymous" or "ftp" as username to log in as anonymous user and cannot leave the username empty anymore.
diff --git a/fineftp-server/src/ftp_session.cpp b/fineftp-server/src/ftp_session.cpp
@@ -321,7 +321,7 @@ namespace fineftp
 
   void FtpSession::handleFtpCommandPASS(const std::string& param)
   {
-    if (last_command_ != "USER")
+    if (last_command_ != "USER" || username_for_login_.empty())
     {
       sendFtpMessage(FtpReplyCode::COMMANDS_BAD_SEQUENCE, "Please specify username first");
       return;

Original file line number	Diff line number	Diff line change
`@@ -321,7 +321,7 @@ namespace fineftp`
`321`	`321`
`322`	`322`	`void FtpSession::handleFtpCommandPASS(const std::string& param)`
`323`	`323`	`{`
`324`		`- if (last_command_ != "USER")`
	`324`	`+ if (last_command_ != "USER" \|\| username_for_login_.empty())`
`325`	`325`	`{`
`326`	`326`	`sendFtpMessage(FtpReplyCode::COMMANDS_BAD_SEQUENCE, "Please specify username first");`
`327`	`327`	`return;`