From owner-freebsd-hackers Sat Jan 19 13:21:20 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from cube.gelatinous.com (cube.gelatinous.com [207.82.194.150]) by hub.freebsd.org (Postfix) with SMTP id D858A37B405 for ; Sat, 19 Jan 2002 13:20:59 -0800 (PST) Received: (qmail 91052 invoked by uid 1000); 19 Jan 2002 21:20:54 -0000 Date: Sat, 19 Jan 2002 13:20:54 -0800 From: Aaron Smith To: Michael Smith Cc: Matthew Dillon , freebsd-hackers@FreeBSD.ORG Subject: Re: ftpd patch that saves me a lot of hassle Message-ID: <20020119132054.F909@gelatinous.com> References: <200201192055.g0JKtT151813@apollo.backplane.com> <200201192102.g0JL2Op01400@mass.dis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200201192102.g0JL2Op01400@mass.dis.org>; from msmith@freebsd.org on Sat, Jan 19, 2002 at 01:02:24PM -0800 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The reason I only test the first character is that lots of filenames I actually want uploaded may have some funkiness somewhere in their midst. With an alnum first character I can deal with trash using tab completion and not block the files I deal with normally. isprint() is too liberal to save me time -- one careless evening, deleting a directory named '~' made me have to go to backups. isprint allows a great deal of stuff i don't want to hassle with, like ~ and &. Allowing directories to start with underscore sounds reasonable to me, though. Another idea would be mapping certain special characters to underscore. Does anyone know if other ftpds like luke's or wu address this issue? I wasn't proposing this as a default inclusion, but as far as that goes: a non-default option noted in the "setting up an anonymous FTP site" section of the ftpd docs seems the most appropriate option. It's just to save administrators of anonymous ftp sites a little headache of hidden files and those beginning with spaces or garbage. Lots of people will be bitten by this if they don't know about it, especially if it applies to non-anonymous users. "Why can't I upload my file?" It should probably test whether the user is anonymous. If people actually would use such an ftpd option, I'll clean it up and submit a new patch with doc changes. Aaron On Sat, Jan 19, 2002 at 01:02:24PM -0800, Michael Smith wrote: > > Use isprint() on the entire string; this will give the desired result in > most cases. It should probably be optional (defaulting to on, since it's > a security measure). > > > > What? You don't like directories named '...w^Ha^Hr^He^Hz^H^H^H' ? > > > > I like it, but there are a few problems. What about underscore? And > > will this mess up people using ftp outside the U.S.? > > > > -Matt > > Matthew Dillon > > > > > > > > :I got sick of (presumably) warez people probing my anonymous ftp site and > > :dropping all kinds of hard-to-delete trash in incoming, so I patched my > > :ftpd to only allow directories to start with alphanumerics. There's > > :probably a better solution, but this works for me so I figure'd I'd share. > > : > > :Combining this with a umask that doesn't allow reading uploaded files keeps > > :things reasonably well in hand. > > : > > :--Aaron > > : > > : > > :Index: ftpd.c > > :=================================================================== > > :RCS file: /usr/cvs/src/libexec/ftpd/ftpd.c,v > > :retrieving revision 1.62.2.15 > > :diff -u -r1.62.2.15 ftpd.c > > :--- ftpd.c 2001/12/18 18:35:55 1.62.2.15 > > :+++ ftpd.c 2002/01/19 09:47:42 > > :@@ -2216,6 +2216,12 @@ > > : { > > : > > : LOGCMD("mkdir", name); > > :+ > > :+ if (!isalnum(*name)) { > > :+ reply(521, "Bite me."); > > :+ return; > > :+ } > > :+ > > : if (mkdir(name, 0777) < 0) > > : perror_reply(550, name); > > : else > > : > > :To Unsubscribe: send mail to majordomo@FreeBSD.org > > :with "unsubscribe freebsd-hackers" in the body of the message > > : > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message