Subject: Re: ftp mget security hole
To: Luke Mewburn <lm@cs.rmit.edu.au>
From: Johan Danielsson <joda@pdc.kth.se>
List: tech-security
Date: 11/08/1997 06:31:58
Luke Mewburn <lm@cs.rmit.edu.au> writes:
> > What I did was to (in non interactive mode) ignore files starting with
> > `../' and `/'.
>
> And how does that protect you against names of the form:
It doesn't, you'll have to check for ../ anywhere in the path.
> I'm not saying your intent is bad, just that you have to be
> extremely careful to ensure that you won't break expected behaviour
> as well as preventing incorrect behaviour.
IMO, the expected behavior is broken. `get /foo/bar' should get me a
file in the current directory, not in `/foo'. If you need to copy file
trees, either use a ftpd that supports magic .tar extensions, or
implement mget -r.
That this is more difficult to fix than the related |sh bug, doesn't
mean it should be ignored. Do you have any other suggestions?
> And don't forget that '*/*' may return different things depending
> upon the remote system type...
Yup, but this just strengthens my argument above.
/Johan