Ftpfs security hole particulary fixed

Pavel Roskin proski at gnu.org
Thu Feb 7 04:58:10 UTC 2002


Hello!

> >  You
> > could also test other FTP clients to see it they work with the broken
> > server (try e.g. gftp and Far Manager).
> 
> Far Manager use "LIST" without Unix ls options and does not show dotfiles.

That's what I expected.  Thank you for checking it.

> And if I use "LIST -la" instead "LIST -la ." all is ok.
> I don't know, is this has not problem with other ftp servers, but it seems it's safe.

I tested MC on a few sites and found that it doesn't work on 
ftp.netbsd.org.  It shows the top-level directory, but show nothing in 
/pub.  Here's the log:

PASV
227 Entering Passive Mode (204,152,184,75,238,199)
LIST -la /pub/.
150 Opening ASCII mode data connection for '/bin/ls'.
226 Transfer complete.

I think that "LIST -la /pub" would have chances to work on more systems.  

MC before your patch doesn't work on ftp.netbsd.org at all.  But you 
probably didn't go far enough to eliminate all trailing dots.

>   /* Trailing "/." is necessary if remote_path is a symlink
>             but don't generate "//." */

Maybe trailing "/" is sufficient?  Besides, ftp.netbsd.org/pub is not a 
symlink.  Maybe the code isn't doing what the comment says?

Thank you for your patch!

-- 
Regards,
Pavel Roskin




More information about the mc-devel mailing list