Recently someone noted on BUGTRAQ that ftp(1) has two security
problems:

Problem:
    a remote ftp server can create unwanted files by returning a list of
    filenames to mget that aren't what the client asked for. Depending
    upon the complexity of attack by the hostile server, it may be
    rather difficult for a client to detect this in situ.
    E.g, if ftp is run in ~/foo, and "mget *" returns a list of filenames
    including "../.rhosts" with appropriate contents, then an unwary
    user or one who has disabled prompting may find their account wide
    open. Other attacks are possible.

Suggested fix:
    check the returned filenames against the local glob rules, and
    discard those that don't match (e.g, "../.forward" doesn't match
    "foo*"). this could be configurable with an option, and default
    to "do the check".
    I haven't done this yet, as I'm awaiting feedback on the idea.

Problem:
    it is possible to trick the client into executing arbitrary code
    on the client's machine by returning a filename such as '|sh',
    whose contents are the list of shell commands to execute.

Suggested fix:
    modify recvrequest() to take an extra argument, which means
    "ignore special names such as '-' and '|*'". use this flag
    when calling recvrequest() from mget().
    I've done this, and it appears to work.


Comments?

-- 
Luke Mewburn, <lukem@netbsd.org>