NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/43164: tftpd: file upload broken



The following reply was made to PR bin/43164; it has been noted by GNATS.

From: Takahiro Kambe <taca%back-street.net@localhost>
To: hubert%feyrer.de@localhost
Cc: gnats-bugs%NetBSD.org@localhost
Subject: Re: bin/43164: tftpd: file upload broken
Date: Fri, 16 Apr 2010 15:23:22 +0900 (JST)

 In message <alpine.DEB.1.10.1004160808000.21020%calanda.fehu.org@localhost>
        on Fri, 16 Apr 2010 08:08:38 +0200 (CEST),
        Hubert Feyrer <hubert%feyrer.de@localhost> wrote:
 > On Fri, 16 Apr 2010, Takahiro Kambe wrote:
 >> Do you expect to tftpd creating a new file?
 > 
 > When I do "put foo" yes of course I expect it to create a new file
 > "foo".
 Quote from tftpd(8):
 
      The use of tftp(1) does not require an account or password on the remote
      system.  Due to the lack of authentication information, tftpd will allow
      only publicly readable files to be accessed.  Filenames beginning in
      ``../'' or containing ``/../'' are not allowed.  Files may be written to
      only if they already exist and are publicly writable.
 
 It is the specification of tftpd(8) since 4.2BSD.
 
 > That's also what I see from other tftpd implementaitons.
 If you really want to allow tftpd(8) to creating a new file, it should
 be provided as "--insecure" option and not be allowed default.
 
 -- 
 Takahiro Kambe <taca%back-street.net@localhost>
 


Home | Main Index | Thread Index | Old Index