Ftpfs security hole particulary fixed
Andrew V. Samoilov
kai at cmail.ru
Wed Jan 23 12:05:59 UTC 2002
Hello!
This patch fixes bug in ftpfs chmod implementation.
After 4.5.43 chmod fails without warning if it called not
from root directory at ftp site. So uploading over mc ftpfs
can be insecure because uploaded files/directories have
default permissions. BTW uploaded file has such permission
some time after uploading before appropriative chmod call
finishes. May be something like "UMASK 077" has to be
passed to ftp server after establishing connection. But I don't
know is this command are widely supported by ftp servers.
As far as I know wu-ftpd has this command.
Test case:
1. $ touch secure_file
2. $ chmod 600 secure_file
3. <TAB>
4. Connect to ftp server, chdir to tmp.
5. Copy secure_file to this directory. At the most ftp servers
it will has 0644 mode.
Regards,
Andrew.
--- ftpfs.c- Mon Aug 6 18:39:08 2001
+++ ftpfs.c Tue Jan 22 22:28:17 2002
@@ -1518,7 +1551,7 @@ static int ftpfs_chmod (vfs *me, char *p
{
char buf[BUF_SMALL];
- g_snprintf(buf, sizeof(buf), "SITE CHMOD %4.4o %%s", mode & 07777);
+ g_snprintf(buf, sizeof(buf), "SITE CHMOD %4.4o /%%s", mode & 07777);
return send_ftp_command(me, path, buf, OPT_IGNORE_ERROR | OPT_FLUSH);
}
More information about the mc-devel
mailing list