Subject: Re: ftpd upload behavior
To: Rumi Szabolcs <firstname.lastname@example.org>
From: Bill Sommerfeld <email@example.com>
Date: 01/21/2001 11:44:01
Both policies (allow anonymous MKD and disallow anonymous MKD) are
"reasonable", assuming that permissions on the anonymously-created
directory are appropriate (allowing upload of files, but not download
or reading of file names).
How about adding a new ftpd.conf command:
mkdir <class> [OFF]
if <class> is "none" or OFF is given, disable the MKD command;
otherwise enable them for the specified class. If both this
directive and "upload" are present, this takes precedence.
 The paranoid should worry about anklebiters encoding war3z into a
series of filenames. The extremely paranoid will worry about "covert
channels" like giving any indication that a file in the incoming
directory already exists.