Commit Graph

68 Commits

Author SHA1 Message Date
David E. O'Brien
ec85f7fa39 Move variable externs into extern.h so they are checked against the definitions. 2009-04-07 20:34:34 +00:00
Colin Percival
f0b40b1c97 Prevent cross-site forgery attacks on ftpd(8) due to splitting
long commands into multiple requests. [08:12]

Avoid calling uninitialized function pointers in protocol switch
code. [08:13]

Merry Christmas everybody...

Approved by:	so (cperciva)
Approved by:	re (kensmith)
Security:	FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw
2008-12-23 01:23:09 +00:00
Yaroslav Tykhiy
2ea4228214 Add support for RFC 2389 (FEAT) and RFC 2640 (UTF8) to ftpd(8).
The support for RFC 2640 (UTF8) is optional and rudimentary.
The server just advertises its capability to handle UTF-8 file
names and relies on its own 8-bit cleanness, as well as on
the backward compatibility of UTF-8 with ASCII.  So uploaded
files will have UTF-8 names, but the initial server contents
should be prepared in UTF-8 by hand, no on-the-fly conversion
of file names will be done.

PR:		bin/111714
Submitted by:	Zhang Weiwu <see email in the PR>
MFC after:	1 week
2007-04-18 22:43:39 +00:00
Yaroslav Tykhiy
31ee80d88a Fix compilation of ftpcmd.y without -DINET6.
Respect MK_INET6_SUPPORT in Makefile.

Requested by:	Attila Nagy <bra at fsn dot hu>
MFC after:	1 week
2006-06-05 15:50:34 +00:00
Yaroslav Tykhiy
0c4b401f76 Use __FBSDID. 2004-11-18 13:46:29 +00:00
Yaroslav Tykhiy
02c9749295 Use uniform punctuation, capitalization, and language style
in server messages wherever this doesn't contradict to a particular
message format.
2004-11-18 11:45:13 +00:00
Yaroslav Tykhiy
82c03024c2 Fix perror_reply() vs. reply() usage. 2004-11-18 11:27:31 +00:00
Yaroslav Tykhiy
7e295315e6 Kill more unneeded casts found.
Noticed by:	Nick Leuta <skynick -at- mail.sc.ru> (some of them)
2004-11-17 11:52:41 +00:00
Yaroslav Tykhiy
e3765043a8 Kill ancient casts to integral types left from the K&R era.
They're unneeded and sometimes erroneous now.
2004-11-13 13:15:47 +00:00
Yaroslav Tykhiy
aa5a9d3fff Change `(foo *)0'' to `NULL'' where it's possible
(and it appears possible throughout ftpd(8) source.)

It is not a mere issue of style: Null pointers in C
seem to have been mistaken one way or another quite often.
2004-07-31 15:03:17 +00:00
Yaroslav Tykhiy
0e519c96ef Kill a small herd of casts to off_t where they were not needed.
Thank Fortune, the C compiler can figure out by itself the proper
conversion for assignments, comparisons, and prototyped function
arguments.
2004-07-31 14:46:41 +00:00
Yaroslav Tykhiy
a57e1ef070 Printf(3) off_t values through conversion to intmax_t since
we've got <stdint.h> et al now.  (This makes ftpd(8) WARNS=2 clean.)
2004-07-31 14:22:02 +00:00
Yaroslav Tykhiy
012cdd2c90 Convert a couple of bogus null statements to the right form.
(Heading to WARNS=2.)
2004-07-31 14:03:14 +00:00
Peter Wemm
45ffe5605f Pacify gcc warning with a Douglas Adams reference. 2003-10-26 04:30:05 +00:00
Yaroslav Tykhiy
e25d3184d0 Block SIGURG while reading from the control channel.
Rationale:

SIGURG is configured by ftpd to interrupt system calls, which is useful
during data transfers.  However, SIGURG could interrupt I/O on the
control channel as well, which was mistaken for the end of the session.

A practical example could be aborting the download of a tiny file,
when the abort sequence reached ftpd after ftpd had passed the file
data to the system and returned to its command loop.

Reported by:	ceri
MFC after:	1 week
2003-07-09 13:54:33 +00:00
Yaroslav Tykhiy
39b96ba75d Improve error handling in getline():
- always check the return value from getc(3) for EOF;
- if the attempt to read the TELNET command byte has
  returned EOF, exit from the loop instead of using
  the EOF value as a normal character.

MFC after:	1 week
2003-07-09 13:15:32 +00:00
Yaroslav Tykhiy
9581ecbd72 Don't declare unneeded extern variables,
leave alone specifying a wrong type for one of them.
2003-06-21 10:45:38 +00:00
Yaroslav Tykhiy
a278e092d3 If ftpd is run with an -h option (hide host-specific info,)
don't reveal the info in reply to the SYST command.

Get rid of using the "unix" macro at the same time.  It was a rather
poor way to check if the system was Unix since there were quite a
few Unix clones out there whose cc didn't define "unix" (e.g.,
NetBSD.)  It was also sensitive to the C standard used, which caused
unnecessary trouble:  With -std=c99, it should have been "__unix__",
and so on.

PR:		bin/50690
Submitted by:	Alex Semenyaka <alexs _at_ snark.ratmir.ru>
MFC after:	1 week
2003-06-16 11:30:23 +00:00
Yaroslav Tykhiy
31f77a4b49 Allow "~/" in pathnames to work for a chrooted user. 2003-02-05 11:11:32 +00:00
Yaroslav Tykhiy
6cfbc84115 Let tilde expansion be done even if a file/directory doesn't exist yet.
This makes such natural commands as "MKD ~user/newdir" or "STOR ~/newfile"
do what they are supposed to instead of failing miserably with the
"File not found" error.

This involves a bit of code reorganization.  Namely, the code doing
glob(3) expansion has been separated to a function; a new function
has been introduced to do tilde expansion; the latter function is
invoked on a pathname before the former one.  Thus behaviour mimicing
that of the Bourne shell has been achieved.
2003-02-04 17:50:38 +00:00
Yaroslav Tykhiy
c152df28e5 Add a new option to ftpd(8), "-h", to disable printing any
host-specific information in FTP server messages (so paranoid
admins can sleep at night :-)

PR:		bin/16705
MFC after:	1 week
2003-01-29 10:58:58 +00:00
Yaroslav Tykhiy
ce9287fc02 Give the code around chroot(2)/chdir(2) a major overhaul by
separating its part around chroot(2) from that around initial
chdir(2).  This makes the below changes really easy.

Move seteuid(to user's uid) to before calling chdir(2).  There are
two goals to achieve by that.  First, NFS mounted home directories
with restrictive permissions become accessible (local superuser
can't access them if not mapped to uid 0 on the remote side
explicitly.)  Second, all the permissions to the home directory
pathname components become effective; previously a user could be
carried to any local directory despite its permissions since the
chdir(2) was done with euid 0.  This reduces possible impact from
FTP server misconfiguration, e.g., assigning a wrong home directory
to a user.

Implement the "/./" feature.  Now a guest or user subject to chrooting
may have "/./" in his login directory, which separates his chroot
directory from his home directory inside the chrooted environment.
This works for ftpchroot(5) as well.

PR:		bin/17843 bin/23944
2003-01-29 10:07:27 +00:00
Yaroslav Tykhiy
80f728d4ff GLOB_MAXPATH has been deprecated in favour of GLOB_LIMIT. 2003-01-25 14:59:48 +00:00
Yaroslav Tykhiy
b7f470a943 Prevent server-side glob(3) patterns from expanding
to a pathname that contains '\r' or '\n'.

Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.
2003-01-22 16:25:22 +00:00
Yaroslav Tykhiy
dcb4f239cd Replace the instances of literal "/bin/ls"
with the _PATH_LS macro to be consistent
with the rest of the ftpd(8) source.
2003-01-16 13:27:58 +00:00
Mike Barcroft
89fdc4e117 Use the standardized CHAR_BIT constant instead of NBBY in userland. 2002-09-25 04:06:37 +00:00
Yaroslav Tykhiy
371348ae25 Fix lexer jam on unimplemented commands.
Submitted by:	maxim
MFC after:	5 days
2002-08-29 09:23:08 +00:00
Yaroslav Tykhiy
e9b61cfeb0 Fix command help lines:
o PORT takes six byte values, not five.
o TYPE argument is mandatory.

Submitted by:	demon (the 1st part)
MFC after:	3 days
2002-08-13 13:56:42 +00:00
Yaroslav Tykhiy
1b9f1a4bd2 1) Use "pathstring" instead of "STRING" consistently.
2) Remove unneeded "if not NULL" props from "pathstring",
   which will never be NULL by the lexer design.

Inspired by:	OpenBSD
MFC after:	1 week
2002-08-05 17:34:15 +00:00
Yaroslav Tykhiy
1d1dc13be6 Since GLOB_NOCHECK is set in the glob(3) call,
glob(3) will return at least one pathname unless
a system error has occured.  It's not a "not found"
error otherwise.

MFC after:	3 days
2002-08-05 14:40:38 +00:00
Yaroslav Tykhiy
effa0530c4 Spot places where "pathname" hasn't been checked
for NULL.  The "pathname" rule may return NULL
on a glob(3) error.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:26:40 +00:00
Yaroslav Tykhiy
c452fbe11c Disallow invalid numeric mode values for SITE CHMOD.
Earlier, a decimal number (e.g., 890) could be passed
for mode, leading to dangerous permissions set:
-1, that is, 07777.

Obtained from:	OpenBSD
MFC after:	1 week
2002-08-05 14:10:57 +00:00
Yaroslav Tykhiy
781cfb9348 Deny the SIZE command on large files when in ASCII mode.
This eliminates an opportunity for DoS attack.

Pointed out by:	maxim
Inspired by:	lukemftpd, OpenBSD
MFC after:	2 weeks
2002-07-31 10:55:31 +00:00
Yaroslav Tykhiy
4454edd688 Use <arpa/ftp.h> stuff cleanly, without introducing
non-portable constants (in this case, hidden as offsets
to the "?AEIL" string.)

MFC after:	1 week
2002-07-25 17:41:47 +00:00
Mike Heffner
12da320bf9 GLOB_QUOTE has been retired. 2002-07-17 05:47:49 +00:00
Maxim Konovalov
7d0babda6d Teach REST how to restart a file transfer after 2^31 bytes: now yylex()
returns off_t in yylval.u.o. REST is the only user of yylval.u.o at the
moment.

NB: seems lukemftpd has the same bug.

PR:		misc/28629
Reviewed by:	ru
Approved by:	ru
MFC after:	1 month
2002-03-14 16:05:06 +00:00
Maxim Konovalov
39e992262c Remove duplicated yacc nonterminals declarations, sort includes.
No functional changes from rev. 1.31.

Reviewed by:	ru
Approved by:	ru
MFC after:	1 week
2002-03-11 11:48:55 +00:00
Warner Losh
e4bc453cc2 o Eliminate __P
o Use new-style function definitions
o remove some !__STDC__ code
o eliminate register
2002-02-03 15:53:02 +00:00
Yaroslav Tykhiy
4b82fc955f Remove the setjmp/longjmp stuff completely. Use signal
handlers to set flags only (with exception for sigquit(),
which still seems to call some non-reentrant functions on
its way to _exit(2).)  That must eliminate the possibility
of catching SIGSEGV from following non-reentrant paths from
signal handlers.

PR:		bin/32740 bin/33846
Submitted by:	Maxim Konovalov <maxim@macomnet.ru>
Obtained from:	OpenBSD
2002-01-28 19:28:14 +00:00
David Malone
c507cedecf Be more careful about freeing memory after parsing commands.
Hiroyuki YAMAMORI gave a patch for the EPRT command in the
PR below. Problems with the rest of the patch are my fault.

PR:		33268
Reviewed by:	iedowse, sheldonh
2002-01-05 20:13:01 +00:00
Sheldon Hearn
1cc9f0bb31 Extend the functionality offered by the -o option into a new option
-O, which limits the impact of the write-only restriction to guest
users.

*) The existing manual page's SYNOPSIS and option listing in the
   DESCRIPTION are already horribly disordered.  No attempt has been
   made to fix this.

*) The existing source's getopt() optstring and option handling switch
   are already horribly disordered.  No attempt has been made to fix
   this.

Discussed with: nik, -audit
2001-09-02 17:24:19 +00:00
Nik Clayton
62513e761e Add a new option, '-o', for "Write-only". Disables the RETR command,
preventing anyone from downloading files.  In conjunction with -A, and some
appropriate file permissions, this lets you create an anonymous FTP drop
box for people to upload files to.

The more obvious "-w" flag is already taken by NetBSD's ftpd.  "-o" was
available as an option letter in all three BSDs.
2001-08-28 11:59:21 +00:00
Mark Murray
618b0bba1f Change names of functions and variables with global scope that are
in conflict with library values of the same name. This allows static
linking.
2001-04-28 07:55:19 +00:00
Peter Wemm
70825609cf Previous clobbered a work-in-progress. Here is the merged result:
Limit the "pathname" glob to one item, as that is what all users of it
are expecting, except for LIST.

Always glob, instead of when the first character is a ~.  For example,
if you had directories ~/x1, and ~/x2, then "cwd x[1]" would fail, but
"cwd ~/x[1]" would work since it was globbed due to the ~ character.
Also, "cwd ~/x[12]" used to arbitarily work as it used the first
expansion (ie: x1) without an error.  Make it return '550 ambiguous'
instead of '550 not found' so that the user can see the difference.

For LIST, just use the user supplied string as the popen does the glob.

Problem noticed by:  Ajay Mittal <amittal@iprg.nokia.com>
2001-04-17 03:03:45 +00:00
Chris D. Faulhaber
6d3fe674ce Limit number of paths returned via glob() for authorized users
using tilde expansion.
2001-04-17 02:33:20 +00:00
Brian Feldman
7d6505e64e Support the empty "PASS\r\n" command. 2001-04-16 22:20:26 +00:00
Poul-Henning Kamp
53ba84a69e Add the "SITE MD5 filename" facility.
This allows you to determine if the file on the other side is the same
as the one you have without transferring the entire file to compare.

Needless to say, if the server end lies to you this check doesn't work,
but on the other hand, if it lies to you about the files checksum,
what can you trust from it ?
2001-04-15 20:59:29 +00:00
Dag-Erling Smørgrav
e22887cdda Change the read-only reply to "550 Permission denied.". 2001-02-19 21:51:26 +00:00
Chris D. Faulhaber
3fca54b652 Limit commands that can be issued when not logged in:
TYPE, STRU, MODE, ALLO, STAT, ABOR, SITE IDLE, SYST, REST

Reviewed by:	kris, sheldon
2001-01-20 01:34:22 +00:00
Poul-Henning Kamp
a4b77a2aaa Add option -E to disable EPSV which throws certain stateful firewalls
into confusion.

Add option -r to make ftpd support only read-only operations.

Submitted by:	Flemming (F3) Jacobsen <fj@batmule.dk>
Reviewed by:	phk
2000-12-16 19:19:19 +00:00