diff options
| author | des <des@FreeBSD.org> | 2014-11-04 23:29:29 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2014-11-04 23:29:29 +0000 |
| commit | 95b02b5b83b0f6812368761db9c260b00d6e98bc (patch) | |
| tree | fd8415fea86df50b62ca1c5502282085292c1bf5 /contrib/tnftp | |
| parent | fbac18d4dad11f0259da3386991c3100b097be92 (diff) | |
| download | FreeBSD-src-95b02b5b83b0f6812368761db9c260b00d6e98bc.zip FreeBSD-src-95b02b5b83b0f6812368761db9c260b00d6e98bc.tar.gz | |
[SA-14:25] Fix kernel stack disclosure in setlogin(2) / getlogin(2).
[SA-14:26] Fix remote command execution in ftp(1).
Approved by: so (des)
Diffstat (limited to 'contrib/tnftp')
| -rw-r--r-- | contrib/tnftp/src/fetch.c | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/contrib/tnftp/src/fetch.c b/contrib/tnftp/src/fetch.c index 91b49fd..72153a5 100644 --- a/contrib/tnftp/src/fetch.c +++ b/contrib/tnftp/src/fetch.c @@ -547,7 +547,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) url_decode(decodedpath); if (outfile) - savefile = ftp_strdup(outfile); + savefile = outfile; else { cp = strrchr(decodedpath, '/'); /* find savefile */ if (cp != NULL) @@ -571,8 +571,7 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) rangestart = rangeend = entitylen = -1; mtime = -1; if (restartautofetch) { - if (strcmp(savefile, "-") != 0 && *savefile != '|' && - stat(savefile, &sb) == 0) + if (stat(savefile, &sb) == 0) restart_point = sb.st_size; } if (urltype == FILE_URL_T) { /* file:// URLs */ @@ -1098,17 +1097,25 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) } /* end of ftp:// or http:// specific setup */ /* Open the output file. */ - if (strcmp(savefile, "-") == 0) { - fout = stdout; - } else if (*savefile == '|') { - oldintp = xsignal(SIGPIPE, SIG_IGN); - fout = popen(savefile + 1, "w"); - if (fout == NULL) { - warn("Can't execute `%s'", savefile + 1); - goto cleanup_fetch_url; + + /* + * Only trust filenames with special meaning if they came from + * the command line + */ + if (outfile == savefile) { + if (strcmp(savefile, "-") == 0) { + fout = stdout; + } else if (*savefile == '|') { + oldintp = xsignal(SIGPIPE, SIG_IGN); + fout = popen(savefile + 1, "w"); + if (fout == NULL) { + warn("Can't execute `%s'", savefile + 1); + goto cleanup_fetch_url; + } + closefunc = pclose; } - closefunc = pclose; - } else { + } + if (fout == NULL) { if ((rangeend != -1 && rangeend <= restart_point) || (rangestart == -1 && filesize != -1 && filesize <= restart_point)) { /* already done */ @@ -1318,7 +1325,8 @@ fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth) (*closefunc)(fout); if (res0) freeaddrinfo(res0); - FREEPTR(savefile); + if (savefile != outfile) + FREEPTR(savefile); FREEPTR(uuser); if (pass != NULL) memset(pass, 0, strlen(pass)); |
