From owner-freebsd-hackers Sun Jan 20 3:30: 6 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 905B737B402 for ; Sun, 20 Jan 2002 03:30:02 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1192) id 6D39110DDF7; Sun, 20 Jan 2002 03:30:02 -0800 (PST) Date: Sun, 20 Jan 2002 03:30:02 -0800 From: Alfred Perlstein To: Aaron Smith Cc: freebsd-hackers@freebsd.org Subject: Re: ftpd patch that saves me a lot of hassle Message-ID: <20020120033002.C13686@elvis.mu.org> References: <20020119122812.E909@gelatinous.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020119122812.E909@gelatinous.com>; from aaron-fbsd@mutex.org on Sat, Jan 19, 2002 at 12:28:12PM -0800 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG * Aaron Smith [020119 12:29] wrote: > I got sick of (presumably) warez people probing my anonymous ftp site and > dropping all kinds of hard-to-delete trash in incoming, so I patched my > ftpd to only allow directories to start with alphanumerics. There's > probably a better solution, but this works for me so I figure'd I'd share. > > Combining this with a umask that doesn't allow reading uploaded files keeps > things reasonably well in hand. This is cool, would be cooler if it was a regex or something to validate the names passed in via a command line, also could be used to protect against evil filenames. :) > > --Aaron > > > Index: ftpd.c > =================================================================== > RCS file: /usr/cvs/src/libexec/ftpd/ftpd.c,v > retrieving revision 1.62.2.15 > diff -u -r1.62.2.15 ftpd.c > --- ftpd.c 2001/12/18 18:35:55 1.62.2.15 > +++ ftpd.c 2002/01/19 09:47:42 > @@ -2216,6 +2216,12 @@ > { > > LOGCMD("mkdir", name); > + > + if (!isalnum(*name)) { > + reply(521, "Bite me."); > + return; > + } > + > if (mkdir(name, 0777) < 0) > perror_reply(550, name); > else > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductable donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message