Ftpfs security hole particulary fixed
Andrew V. Samoilov
sav at it.efp.com.ua
Wed Jan 30 11:55:26 UTC 2002
Hello!
> Exactly the same is needed to read uploaded files - knowledge level,
> rights (i.e. shell access to the ftp server)
Even ftp access to this ftp server is enough.
> and luck to read the right
> files in the right time (i.e. before chmod). I mean fixed mc. Otherwise
> the luck is not required :-)
> > Does we want to maintain 4.5.x barnch and do users need gmc is much
> > more important question.
> Seriously, even Ximian didn't bother to update gmc to 4.5.55. Neither did
> RedHat. What's the purpose in releasing another version that very few
> people will use? Most GNOME users don't compile their sources, even if
> advised of security holes.
Well, I realized the volume of work if we will do at appropriative level.
You assured me :-)
> > > I don't think that using umask is worth the trouble, partly for the
> > > reasons explained above, partly because it only affects FTP upload.
> > > It also takes time to send a command and wait for the result.
> >
> > Well, it may be configurable option in VFS Option menu. BTW I want add
> > "Use Unix ls options" there because wu-ftpd 2.6.1 understands "LIST -la" as
> > "LIST -laR" and confuses mc parser.
>
> I thing that "umask" in the menu is an overkill.
I want to leave umask question opened.
> "Use Unix ls options"
> should be there if only it's impossible to avoid. Even it that case, we
> should try to make it remote host-specific, not user-specific.
Well, my wu-ftpd does "LIST -la" absolutely right
and others understands this as "LIST -lad". So, if -d option is a
common place for ftp servers I will commit patch where all of
occurences of "LIST -la" will be replaced by "LIST -lad"
Regards,
Andrew.
More information about the mc-devel
mailing list