diff options
| author | yar <yar@FreeBSD.org> | 2003-01-22 16:25:22 +0000 |
|---|---|---|
| committer | yar <yar@FreeBSD.org> | 2003-01-22 16:25:22 +0000 |
| commit | f5eff04464272725a348753d947f05320a56fc80 (patch) | |
| tree | b278a2b7d3770a16ccdc7281cfd9c5686d1728f8 /libexec/ftpd/ftpcmd.y | |
| parent | 15aba21762db566264aef3f0ac15a65c639f59f7 (diff) | |
| download | FreeBSD-src-f5eff04464272725a348753d947f05320a56fc80.zip FreeBSD-src-f5eff04464272725a348753d947f05320a56fc80.tar.gz | |
Prevent server-side glob(3) patterns from expanding
to a pathname that contains '\r' or '\n'.
Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.
Diffstat (limited to 'libexec/ftpd/ftpcmd.y')
| -rw-r--r-- | libexec/ftpd/ftpcmd.y | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/libexec/ftpd/ftpcmd.y b/libexec/ftpd/ftpcmd.y index 6201546..8dcff53 100644 --- a/libexec/ftpd/ftpcmd.y +++ b/libexec/ftpd/ftpcmd.y @@ -972,8 +972,10 @@ pathname */ if (logged_in && $1) { glob_t gl; + char *p, **pp; int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE; + int n; memset(&gl, 0, sizeof(gl)); flags |= GLOB_MAXPATH; @@ -982,11 +984,22 @@ pathname gl.gl_pathc == 0) { reply(550, "wildcard expansion error"); $$ = NULL; - } else if (gl.gl_pathc > 1) { - reply(550, "ambiguous"); - $$ = NULL; } else { - $$ = strdup(gl.gl_pathv[0]); + n = 0; + for (pp = gl.gl_pathv; *pp; pp++) + if (strcspn(*pp, "\r\n") == + strlen(*pp)) { + p = *pp; + n++; + } + if (n == 0) + $$ = strdup($1); + else if (n == 1) + $$ = strdup(p); + else { + reply(550, "ambiguous"); + $$ = NULL; + } } globfree(&gl); free($1); |
