[src/netbsd-3-0]: src/libexec/ftpd Pull up following revision(s) (requested b...

[bouyer <bouyer%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/1e24b4a3e16d
branches:  netbsd-3-0
changeset: 579504:1e24b4a3e16d
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Thu Sep 18 19:28:40 2008 +0000

description:
Pull up following revision(s) (requested by lukem in ticket #1964):
        libexec/ftpd/ftpd.c: revision 1.187 via patch
        libexec/ftpd/extern.h: revision 1.58 via patch
        libexec/ftpd/ftpcmd.y: revision 1.88 via patch
        libexec/ftpd/version.h: patch
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib%securityreason.com@localhost>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.o=
rg>

diffstat:

 libexec/ftpd/extern.h  |   6 +++---
 libexec/ftpd/ftpcmd.y  |  45 ++++++++++++++++++++++++++++++++++-----------
 libexec/ftpd/ftpd.c    |  12 +++++++++---
 libexec/ftpd/version.h |   4 ++--
 4 files changed, 48 insertions(+), 19 deletions(-)

diffs (191 lines):

diff -r 45018403d967 -r 1e24b4a3e16d libexec/ftpd/extern.h
--- a/libexec/ftpd/extern.h     Thu Sep 18 19:22:38 2008 +0000
+++ b/libexec/ftpd/extern.h     Thu Sep 18 19:28:40 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: extern.h,v 1.52 2005/03/03 22:19:47 ginsbach Exp $     */
+/*     $NetBSD: extern.h,v 1.52.4.1 2008/09/18 19:28:40 bouyer Exp $   */
 
 /*-
  * Copyright (c) 1992, 1993
@@ -32,7 +32,7 @@
  */
 
 /*-
- * Copyright (c) 1997-2005 The NetBSD Foundation, Inc.
+ * Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This code is derived from software contributed to The NetBSD Foundation
@@ -139,7 +139,7 @@
 void   format_path(char *, const char *);
 int    ftpd_pclose(FILE *);
 FILE   *ftpd_popen(char *[], const char *, int);
-char   *getline(char *, int, FILE *);
+int    getline(char *, int, FILE *);
 void   init_curclass(void);
 void   logxfer(const char *, off_t, const char *, const char *,
            const struct timeval *, const char *);
diff -r 45018403d967 -r 1e24b4a3e16d libexec/ftpd/ftpcmd.y
--- a/libexec/ftpd/ftpcmd.y     Thu Sep 18 19:22:38 2008 +0000
+++ b/libexec/ftpd/ftpcmd.y     Thu Sep 18 19:28:40 2008 +0000
@@ -1,7 +1,7 @@
-/*     $NetBSD: ftpcmd.y,v 1.83 2005/03/03 22:19:47 ginsbach Exp $     */
+/*     $NetBSD: ftpcmd.y,v 1.83.4.1 2008/09/18 19:28:40 bouyer Exp $   */
 
 /*-
- * Copyright (c) 1997-2005 The NetBSD Foundation, Inc.
+ * Copyright (c) 1997-2008 The NetBSD Foundation, Inc.
  * All rights reserved.
  *
  * This code is derived from software contributed to The NetBSD Foundation
@@ -79,7 +79,7 @@
 #if 0
 static char sccsid[] = "@(#)ftpcmd.y   8.3 (Berkeley) 4/6/94";
 #else
-__RCSID("$NetBSD: ftpcmd.y,v 1.83 2005/03/03 22:19:47 ginsbach Exp $");
+__RCSID("$NetBSD: ftpcmd.y,v 1.83.4.1 2008/09/18 19:28:40 bouyer Exp $");
 #endif
 #endif /* not lint */
 
@@ -1363,8 +1363,12 @@
 
 /*
  * getline - a hacked up version of fgets to ignore TELNET escape codes.
+ *     `s' is the buffer to read into.
+ *     `n' is the 1 less than the size of the buffer, to allow trailing NUL
+ *     `iop' is the FILE to read from.
+ *     Returns 0 on success, -1 on EOF, -2 if the command was too long.
  */
-char *
+int
 getline(char *s, int n, FILE *iop)
 {
        int c;
@@ -1379,7 +1383,7 @@
                        if (debug)
                                syslog(LOG_DEBUG, "command: %s", s);
                        tmpline[0] = '\0';
-                       return(s);
+                       return(0);
                }
                if (c == 0)
                        tmpline[0] = '\0';
@@ -1418,11 +1422,25 @@
                    }
                }
                *cs++ = c;
-               if (--n <= 0 || c == '\n')
+               if (--n <= 0) {
+                       /*
+                        * If command doesn't fit into buffer, discard the
+                        * rest of the command and indicate truncation.
+                        * This prevents the command to be split up into
+                        * multiple commands.
+                        */
+                       if (debug)
+                               syslog(LOG_DEBUG,
+                                   "command too long, last char: %d", c);
+                       while (c != '\n' && (c = getc(iop)) != EOF)
+                               continue;
+                       return (-2);
+               }
+               if (c == '\n')
                        break;
        }
        if (c == EOF && cs == s)
-               return (NULL);
+               return (-1);
        *cs++ = '\0';
        if (debug) {
                if ((curclass.type != CLASS_GUEST &&
@@ -1444,7 +1462,7 @@
                        syslog(LOG_DEBUG, "command: %.*s", len, s);
                }
        }
-       return (s);
+       return (0);
 }
 
 void
@@ -1458,15 +1476,20 @@
 void
 ftp_loop(void)
 {
+       int ret;
 
        while (1) {
                (void) alarm(curclass.timeout);
-               if (getline(cbuf, sizeof(cbuf)-1, stdin) == NULL) {
+               ret = getline(cbuf, sizeof(cbuf)-1, stdin);
+               (void) alarm(0);
+               if (ret == -1) {
                        reply(221, "You could at least say goodbye.");
                        dologout(0);
+               } else if (ret == -2) {
+                       reply(500, "Command too long.");
+               } else {
+                       ftp_handle_line(cbuf);
                }
-               (void) alarm(0);
-               ftp_handle_line(cbuf);
        }
        /*NOTREACHED*/
 }
diff -r 45018403d967 -r 1e24b4a3e16d libexec/ftpd/ftpd.c
--- a/libexec/ftpd/ftpd.c       Thu Sep 18 19:22:38 2008 +0000
+++ b/libexec/ftpd/ftpd.c       Thu Sep 18 19:28:40 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ftpd.c,v 1.164.2.1.2.6 2008/09/18 19:22:38 bouyer Exp $        */
+/*     $NetBSD: ftpd.c,v 1.164.2.1.2.7 2008/09/18 19:28:40 bouyer Exp $        */
 
 /*
  * Copyright (c) 1997-2004 The NetBSD Foundation, Inc.
@@ -105,7 +105,7 @@
 #if 0
 static char sccsid[] = "@(#)ftpd.c     8.5 (Berkeley) 4/28/95";
 #else
-__RCSID("$NetBSD: ftpd.c,v 1.164.2.1.2.6 2008/09/18 19:22:38 bouyer Exp $");
+__RCSID("$NetBSD: ftpd.c,v 1.164.2.1.2.7 2008/09/18 19:28:40 bouyer Exp $");
 #endif
 #endif /* not lint */
 
@@ -2714,6 +2714,7 @@
 handleoobcmd()
 {
        char *cp;
+       int ret;
 
        if (!urgflag)
                return (0);
@@ -2722,9 +2723,14 @@
        if (!transflag)
                return (0);
        cp = tmpline;
-       if (getline(cp, sizeof(tmpline), stdin) == NULL) {
+       ret = getline(cp, sizeof(tmpline)-1, stdin);
+       if (ret == -1) {
                reply(221, "You could at least say goodbye.");
                dologout(0);
+       } else if (ret == -2) {
+               /* Ignore truncated command */
+               /* XXX: abort xfer with "500 command too long", & return 1 ? */
+               return 0;
        }
                /*
                 * Manually parse OOB commands, because we can't
diff -r 45018403d967 -r 1e24b4a3e16d libexec/ftpd/version.h
--- a/libexec/ftpd/version.h    Thu Sep 18 19:22:38 2008 +0000
+++ b/libexec/ftpd/version.h    Thu Sep 18 19:28:40 2008 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: version.h,v 1.59 2005/03/03 22:19:47 ginsbach Exp $    */
+/*     $NetBSD: version.h,v 1.59.4.1 2008/09/18 19:31:33 bouyer Exp $  */
 /*-
  * Copyright (c) 1999-2004 The NetBSD Foundation, Inc.
  * All rights reserved.
@@ -36,5 +36,5 @@
  */
 
 #ifndef FTPD_VERSION
-#define        FTPD_VERSION    "NetBSD-ftpd 20050303"
+#define        FTPD_VERSION    "NetBSD-ftpd 20050303nb8"
 #endif