Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20141028193442.GC32688@symphytum.spacehopper.org>
Date: Tue, 28 Oct 2014 19:34:42 +0000
From: Stuart Henderson <sthen@...nbsd.org>
To: oss-security@...ts.openwall.com
Subject: Re: ftp(1) can be made execute arbitrary commands by
 malicious webserver

On 2014/10/28 17:50, Alistair Crooks wrote:
>    The FTP client will follow HTTP redirects, and uses the part of the
>    path after the last / from the last resource it accesses as the output
>    filename (as long as -o is not specified).

BTW, I changed OpenBSD's ftp(1) a while ago to just use the "filename"
part of the original request, rather than taking a name from the
redirection target (this also matches what curl -O does) - it's a bit
less convenient in some cases, but it felt like a bad idea to allow the
output filename to be under control of the remote host (though I was
more thinking of the situation where someone might run it from their
home directory and write to something like .profile).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.