Subject: Re: ftp mget security hole
To: Johan Danielsson <joda@pdc.kth.se>
From: Luke Mewburn <lm@cs.rmit.edu.au>
List: tech-security
Date: 11/08/1997 15:46:41
Johan Danielsson writes:
> Luke Mewburn <lm@cs.rmit.edu.au> writes:
>
> > It's not as easy to solve the ``leading ../'' problem in an othorgonal
> > way, that won't break existing *valid* behaviour: do you have any
> > suggestions on how to do this ? (Don't forget that some people like
> > to do "mget */*", and have it work.
>
> What I did was to (in non interactive mode) ignore files starting with
> `../' and `/'.
And how does that protect you against names of the form:
./../badfile
bin/../../badfile # if "./bin" exists
foo/bar/../../../badfile # this may not be a problem if
'foo/bar' doesn't exist, but some
shells (and possibly some systems)
may optimize it to "../badfile"
I'm not saying your intent is bad, just that you have to be extremely
careful to ensure that you won't break expected behaviour as well as
preventing incorrect behaviour. And don't forget that '*/*' may return
different things depending upon the remote system type...