Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Oct 2014 19:34:42 +0000
From: Stuart Henderson <>
Subject: Re: ftp(1) can be made execute arbitrary commands by
 malicious webserver

On 2014/10/28 17:50, Alistair Crooks wrote:
>    The FTP client will follow HTTP redirects, and uses the part of the
>    path after the last / from the last resource it accesses as the output
>    filename (as long as -o is not specified).

BTW, I changed OpenBSD's ftp(1) a while ago to just use the "filename"
part of the original request, rather than taking a name from the
redirection target (this also matches what curl -O does) - it's a bit
less convenient in some cases, but it felt like a bad idea to allow the
output filename to be under control of the remote host (though I was
more thinking of the situation where someone might run it from their
home directory and write to something like .profile).

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ