Date: Tue, 28 Oct 2014 19:34:42 +0000 From: Stuart Henderson <sthen@...nbsd.org> To: oss-security@...ts.openwall.com Subject: Re: ftp(1) can be made execute arbitrary commands by malicious webserver On 2014/10/28 17:50, Alistair Crooks wrote: > The FTP client will follow HTTP redirects, and uses the part of the > path after the last / from the last resource it accesses as the output > filename (as long as -o is not specified). BTW, I changed OpenBSD's ftp(1) a while ago to just use the "filename" part of the original request, rather than taking a name from the redirection target (this also matches what curl -O does) - it's a bit less convenient in some cases, but it felt like a bad idea to allow the output filename to be under control of the remote host (though I was more thinking of the situation where someone might run it from their home directory and write to something like .profile).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.