Date: Tue, 28 Oct 2014 19:34:42 +0000 From: Stuart Henderson <sthen@...nbsd.org> To: oss-security@...ts.openwall.com Subject: Re: ftp(1) can be made execute arbitrary commands by malicious webserver On 2014/10/28 17:50, Alistair Crooks wrote: > The FTP client will follow HTTP redirects, and uses the part of the > path after the last / from the last resource it accesses as the output > filename (as long as -o is not specified). BTW, I changed OpenBSD's ftp(1) a while ago to just use the "filename" part of the original request, rather than taking a name from the redirection target (this also matches what curl -O does) - it's a bit less convenient in some cases, but it felt like a bad idea to allow the output filename to be under control of the remote host (though I was more thinking of the situation where someone might run it from their home directory and write to something like .profile).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ