NetBSD Problem Report #13541

Received: (qmail 12941 invoked from network); 23 Jul 2001 16:41:02 -0000
Message-Id: <20010723164431.BAC1F1110F@www.netbsd.org>
Date: Mon, 23 Jul 2001 09:44:31 -0700 (PDT)
From: eravin@panix.com
Sender: nobody@netbsd.org
Reply-To: eravin@panix.com
To: gnats-bugs@gnats.netbsd.org
Subject: ftpd unable to "LIST" filenames that begin with hyphen
X-Send-Pr-Version: www-1.0

>Number:         13541
>Category:       bin
>Synopsis:       ftpd unable to "LIST" filenames that begin with hyphen
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          suspended
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 23 16:42:00 +0000 2001
>Closed-Date:    
>Last-Modified:  Sat Oct 26 10:41:51 +0000 2002
>Originator:     Ed Ravin
>Release:        1.5
>Organization:
Panix
>Environment:
NetBSD panix1.panix.com 1.5.1 NetBSD 1.5.1 (PANIX-USER) #0: Mon Jun 25 21:35:49 EDT 2001 ro
ot@byzantium.nyc.access.net:/devel/netbsd/release-1.5/src/sys/arch/i386/compile/PANIX-USER i386
>Description:
If a filename in the current directory begins with "-" (hyphen), the
LIST command will not be able to show it, because /bin/ls sees the
filename as an option specification.
>How-To-Repeat:
create a file named "-" in a directory accessible by FTP
log in with the FTP client and chdir to that directory
"dir -" will return nothing, "nlist -" will show the file exists

>Fix:
in ftpcmds.[cy] and cmds.c, suggest that you change options to ls
from "-lgA" to "-lgA --"

Might need to make this configurable if some versions of "ls" don't
support the "--" escape.

Hmmm, this bug might have security implications if anyone ever added
options to "ls" that made it read or write to filenames or pipes, which
is another good reason to use the "--" to cancel all further option
processing.

The "--" feature works for NetBSD ls and rm, but does not seem to
be documented (man pages I checked were dated 1998).
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->lukem 
Responsible-Changed-By: lukem 
Responsible-Changed-When: Mon Jul 23 16:25:09 PDT 2001 
Responsible-Changed-Why:  
i'll take this one 

From: Luke Mewburn <lukem@wasabisystems.com>
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/13541: ftpd unable to "LIST" filenames that begin with hyphen
Date: Tue, 24 Jul 2001 09:28:42 +1000

 On Mon, Jul 23, 2001 at 09:44:31AM -0700, eravin@panix.com wrote:
 > >Description:
 > If a filename in the current directory begins with "-" (hyphen), the
 > LIST command will not be able to show it, because /bin/ls sees the
 > filename as an option specification.
 > >How-To-Repeat:
 > create a file named "-" in a directory accessible by FTP
 > log in with the FTP client and chdir to that directory
 > "dir -" will return nothing, "nlist -" will show the file exists
 > 
 > >Fix:
 > in ftpcmds.[cy] and cmds.c, suggest that you change options to ls
 > from "-lgA" to "-lgA --"
 > 
 > Might need to make this configurable if some versions of "ls" don't
 > support the "--" escape.

 ftpd uses a built-in version of ls(1), so this is a moot point :)

 > Hmmm, this bug might have security implications if anyone ever added
 > options to "ls" that made it read or write to filenames or pipes, which
 > is another good reason to use the "--" to cancel all further option
 > processing.
 > 
 > The "--" feature works for NetBSD ls and rm, but does not seem to
 > be documented (man pages I checked were dated 1998).

 It is documented in getopt(3), which is what 99% of NetBSD tools use
 for option processing.

 Thanks for the PR; I'll take a look at this.

From: Robert Elz <kre@munnari.OZ.AU>
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/13541: ftpd unable to "LIST" filenames that begin with hyphen 
Date: Thu, 26 Jul 2001 21:29:21 +0700

     Date:        Mon, 23 Jul 2001 09:44:31 -0700 (PDT)
     From:        eravin@panix.com
     Message-ID:  <20010723164431.BAC1F1110F@www.netbsd.org>

   | If a filename in the current directory begins with "-" (hyphen), the
   | LIST command will not be able to show it, because /bin/ls sees the
   | filename as an option specification.

 This is certainly true, and almost certainly a violation of the FTP
 specs ... however it is the way it always has been with unix FTP
 servers, to the extent that it is now "assumed" to work the way it
 does, fixing this would break far more than any benefit that can
 possibly be gained from it.

 The traditional way (before someone decided that '--' really had
 to be invented) to deal with this is simply to use some other
 name for the file (unix files all have lots of alternative names),
 the simplest one would be ./- which ftp will list for you just fine.

 Adding the "--" as suggested would break "dir -rt" and similar commands (or 
 "ls -lt" from a unix client) which people (and scripts) simply assume will
 work.   It isn't the way FTP is supposed to work, but it is too ingrained
 now to change.

 This can get fixed when we get ftp clients that use the MLST command instead
 of LIST, and format (including sorting) the results for themselves.  Then
 there'll be no need to be able to pass options to the remote "ls" command
 (there are no options that can be passed that way).

 In any case, please, no-one "fix" ftpd as suggested here.

   | The "--" feature works for NetBSD ls and rm, but does not seem to
   | be documented (man pages I checked were dated 1998).

 It is probably documented in getopt(3) (probably getopt(1) as well).

 kre


From: Ed Ravin <eravin@panix.com>
To: kre@munnari.OZ.AU (Robert Elz)
Cc: eravin@panix.com, gnats-bugs@gnats.netbsd.org
Subject: Re: bin/13541: ftpd unable to "LIST" filenames that begin with hyphen
Date: Thu, 26 Jul 2001 12:30:25 -0400 (EDT)

 Robert Elz writes:
 > 
 >     Date:        Mon, 23 Jul 2001 09:44:31 -0700 (PDT)
 >     From:        eravin@panix.com
 >     Message-ID:  <20010723164431.BAC1F1110F@www.netbsd.org>
 > 
 >   | If a filename in the current directory begins with "-" (hyphen), the
 >   | LIST command will not be able to show it, because /bin/ls sees the
 >   | filename as an option specification.
 > 
 > This is certainly true, and almost certainly a violation of the FTP
 > specs ... however it is the way it always has been with unix FTP
 > servers, to the extent that it is now "assumed" to work the way it
 > does, fixing this would break far more than any benefit that can
 > possibly be gained from it.

 But NetBSD has already broken this assumption with lukemftpd -
 please see:

   http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=12667

 which describes how the Emacs ange-ftp client no longer works with
 NetBSD ftpd [because ftpd is now bypassing shell interpretation when
 invoking "ls", and the spaces in a filename argument like "-lt file"
 are no longer getting parsed].

 > Adding the "--" as suggested would break "dir -rt" and similar commands (or 
 > "ls -lt" from a unix client) which people (and scripts) simply assume will
 > work.   It isn't the way FTP is supposed to work, but it is too ingrained
 > now to change.

 Then perhaps you'll want to look at bug 12667 and change ftpd back...

 	-- Ed
State-Changed-From-To: open->suspended 
State-Changed-By: lukem 
State-Changed-When: Tue Nov 27 16:27:32 PST 2001 
State-Changed-Why:  
I agree with kre's view. The problem isn't technically resolved
though, so I'm suspending this PR for further thought.
Responsible-Changed-From-To: lukem->bin-bug-people 
Responsible-Changed-By: lukem 
Responsible-Changed-When: Sat Oct 26 03:41:18 PDT 2002 
Responsible-Changed-Why:  
I'm not Mr Ftpd any more 
>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.