From f5eff04464272725a348753d947f05320a56fc80 Mon Sep 17 00:00:00 2001
From: yar <yar@FreeBSD.org>
Date: Wed, 22 Jan 2003 16:25:22 +0000
Subject: Prevent server-side glob(3) patterns from expanding to a pathname
 that contains '\r' or '\n'.

Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.
---
 libexec/ftpd/ftpcmd.y | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

(limited to 'libexec/ftpd')

diff --git a/libexec/ftpd/ftpcmd.y b/libexec/ftpd/ftpcmd.y
index 6201546..8dcff53 100644
--- a/libexec/ftpd/ftpcmd.y
+++ b/libexec/ftpd/ftpcmd.y
@@ -972,8 +972,10 @@ pathname
 			 */
 			if (logged_in && $1) {
 				glob_t gl;
+				char *p, **pp;
 				int flags =
 				 GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
+				int n;
 
 				memset(&gl, 0, sizeof(gl));
 				flags |= GLOB_MAXPATH;
@@ -982,11 +984,22 @@ pathname
 				    gl.gl_pathc == 0) {
 					reply(550, "wildcard expansion error");
 					$$ = NULL;
-				} else if (gl.gl_pathc > 1) {
-					reply(550, "ambiguous");
-					$$ = NULL;
 				} else {
-					$$ = strdup(gl.gl_pathv[0]);
+					n = 0;
+					for (pp = gl.gl_pathv; *pp; pp++)
+						if (strcspn(*pp, "\r\n") ==
+						    strlen(*pp)) {
+							p = *pp;
+							n++;
+						}
+					if (n == 0)
+						$$ = strdup($1);
+					else if (n == 1)
+						$$ = strdup(p);
+					else {
+						reply(550, "ambiguous");
+						$$ = NULL;
+					}
 				}
 				globfree(&gl);
 				free($1);
-- 
cgit v1.1