Subject: CVS commit: src/usr.bin/ftp
To: None <source-changes@NetBSD.org>
From: Luke Mewburn <lukem@netbsd.org>
List: source-changes
Date: 01/03/2005 09:50:10
Module Name:	src
Committed By:	lukem
Date:		Mon Jan  3 09:50:10 UTC 2005

Modified Files:
	src/usr.bin/ftp: cmds.c extern.h ftp_var.h util.c version.h

Log Message:
Forbid filenames returned from mget that aren't in (or below) the
current directory.
The previous behaviour (of trusting the remote server's response when
retrieving the list of files to mget with prompting disabled) has been
in ftp ~forever, and has been a "known issue" for a long time.
Recently an advisory was published by D.J. Bernstein on behalf of
Yosef Klein warning of the problems with the previous behaviour, so
to alleviate concern I've fixed this with a sledgehammer.

Remember the local cwd after any operation which may change it.
Use "remotecwd" instead of "remotepwd".


To generate a diff of this commit:
cvs rdiff -r1.108 -r1.109 src/usr.bin/ftp/cmds.c
cvs rdiff -r1.62 -r1.63 src/usr.bin/ftp/extern.h
cvs rdiff -r1.68 -r1.69 src/usr.bin/ftp/ftp_var.h
cvs rdiff -r1.116 -r1.117 src/usr.bin/ftp/util.c
cvs rdiff -r1.42 -r1.43 src/usr.bin/ftp/version.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.