NetBSD Problem Report #13541
Received: (qmail 12941 invoked from network); 23 Jul 2001 16:41:02 -0000
Message-Id: <20010723164431.BAC1F1110F@www.netbsd.org>
Date: Mon, 23 Jul 2001 09:44:31 -0700 (PDT)
From: eravin@panix.com
Sender: nobody@netbsd.org
Reply-To: eravin@panix.com
To: gnats-bugs@gnats.netbsd.org
Subject: ftpd unable to "LIST" filenames that begin with hyphen
X-Send-Pr-Version: www-1.0
>Number: 13541
>Category: bin
>Synopsis: ftpd unable to "LIST" filenames that begin with hyphen
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: suspended
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 23 16:42:00 +0000 2001
>Closed-Date:
>Last-Modified: Sat Oct 26 10:41:51 +0000 2002
>Originator: Ed Ravin
>Release: 1.5
>Organization:
Panix
>Environment:
NetBSD panix1.panix.com 1.5.1 NetBSD 1.5.1 (PANIX-USER) #0: Mon Jun 25 21:35:49 EDT 2001 ro
ot@byzantium.nyc.access.net:/devel/netbsd/release-1.5/src/sys/arch/i386/compile/PANIX-USER i386
>Description:
If a filename in the current directory begins with "-" (hyphen), the
LIST command will not be able to show it, because /bin/ls sees the
filename as an option specification.
>How-To-Repeat:
create a file named "-" in a directory accessible by FTP
log in with the FTP client and chdir to that directory
"dir -" will return nothing, "nlist -" will show the file exists
>Fix:
in ftpcmds.[cy] and cmds.c, suggest that you change options to ls
from "-lgA" to "-lgA --"
Might need to make this configurable if some versions of "ls" don't
support the "--" escape.
Hmmm, this bug might have security implications if anyone ever added
options to "ls" that made it read or write to filenames or pipes, which
is another good reason to use the "--" to cancel all further option
processing.
The "--" feature works for NetBSD ls and rm, but does not seem to
be documented (man pages I checked were dated 1998).
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: bin-bug-people->lukem
Responsible-Changed-By: lukem
Responsible-Changed-When: Mon Jul 23 16:25:09 PDT 2001
Responsible-Changed-Why:
i'll take this one
From: Luke Mewburn <lukem@wasabisystems.com>
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/13541: ftpd unable to "LIST" filenames that begin with hyphen
Date: Tue, 24 Jul 2001 09:28:42 +1000
On Mon, Jul 23, 2001 at 09:44:31AM -0700, eravin@panix.com wrote:
> >Description:
> If a filename in the current directory begins with "-" (hyphen), the
> LIST command will not be able to show it, because /bin/ls sees the
> filename as an option specification.
> >How-To-Repeat:
> create a file named "-" in a directory accessible by FTP
> log in with the FTP client and chdir to that directory
> "dir -" will return nothing, "nlist -" will show the file exists
>
> >Fix:
> in ftpcmds.[cy] and cmds.c, suggest that you change options to ls
> from "-lgA" to "-lgA --"
>
> Might need to make this configurable if some versions of "ls" don't
> support the "--" escape.
ftpd uses a built-in version of ls(1), so this is a moot point :)
> Hmmm, this bug might have security implications if anyone ever added
> options to "ls" that made it read or write to filenames or pipes, which
> is another good reason to use the "--" to cancel all further option
> processing.
>
> The "--" feature works for NetBSD ls and rm, but does not seem to
> be documented (man pages I checked were dated 1998).
It is documented in getopt(3), which is what 99% of NetBSD tools use
for option processing.
Thanks for the PR; I'll take a look at this.
From: Robert Elz <kre@munnari.OZ.AU>
To: eravin@panix.com
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/13541: ftpd unable to "LIST" filenames that begin with hyphen
Date: Thu, 26 Jul 2001 21:29:21 +0700
Date: Mon, 23 Jul 2001 09:44:31 -0700 (PDT)
From: eravin@panix.com
Message-ID: <20010723164431.BAC1F1110F@www.netbsd.org>
| If a filename in the current directory begins with "-" (hyphen), the
| LIST command will not be able to show it, because /bin/ls sees the
| filename as an option specification.
This is certainly true, and almost certainly a violation of the FTP
specs ... however it is the way it always has been with unix FTP
servers, to the extent that it is now "assumed" to work the way it
does, fixing this would break far more than any benefit that can
possibly be gained from it.
The traditional way (before someone decided that '--' really had
to be invented) to deal with this is simply to use some other
name for the file (unix files all have lots of alternative names),
the simplest one would be ./- which ftp will list for you just fine.
Adding the "--" as suggested would break "dir -rt" and similar commands (or
"ls -lt" from a unix client) which people (and scripts) simply assume will
work. It isn't the way FTP is supposed to work, but it is too ingrained
now to change.
This can get fixed when we get ftp clients that use the MLST command instead
of LIST, and format (including sorting) the results for themselves. Then
there'll be no need to be able to pass options to the remote "ls" command
(there are no options that can be passed that way).
In any case, please, no-one "fix" ftpd as suggested here.
| The "--" feature works for NetBSD ls and rm, but does not seem to
| be documented (man pages I checked were dated 1998).
It is probably documented in getopt(3) (probably getopt(1) as well).
kre
From: Ed Ravin <eravin@panix.com>
To: kre@munnari.OZ.AU (Robert Elz)
Cc: eravin@panix.com, gnats-bugs@gnats.netbsd.org
Subject: Re: bin/13541: ftpd unable to "LIST" filenames that begin with hyphen
Date: Thu, 26 Jul 2001 12:30:25 -0400 (EDT)
Robert Elz writes:
>
> Date: Mon, 23 Jul 2001 09:44:31 -0700 (PDT)
> From: eravin@panix.com
> Message-ID: <20010723164431.BAC1F1110F@www.netbsd.org>
>
> | If a filename in the current directory begins with "-" (hyphen), the
> | LIST command will not be able to show it, because /bin/ls sees the
> | filename as an option specification.
>
> This is certainly true, and almost certainly a violation of the FTP
> specs ... however it is the way it always has been with unix FTP
> servers, to the extent that it is now "assumed" to work the way it
> does, fixing this would break far more than any benefit that can
> possibly be gained from it.
But NetBSD has already broken this assumption with lukemftpd -
please see:
http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=12667
which describes how the Emacs ange-ftp client no longer works with
NetBSD ftpd [because ftpd is now bypassing shell interpretation when
invoking "ls", and the spaces in a filename argument like "-lt file"
are no longer getting parsed].
> Adding the "--" as suggested would break "dir -rt" and similar commands (or
> "ls -lt" from a unix client) which people (and scripts) simply assume will
> work. It isn't the way FTP is supposed to work, but it is too ingrained
> now to change.
Then perhaps you'll want to look at bug 12667 and change ftpd back...
-- Ed
State-Changed-From-To: open->suspended
State-Changed-By: lukem
State-Changed-When: Tue Nov 27 16:27:32 PST 2001
State-Changed-Why:
I agree with kre's view. The problem isn't technically resolved
though, so I'm suspending this PR for further thought.
Responsible-Changed-From-To: lukem->bin-bug-people
Responsible-Changed-By: lukem
Responsible-Changed-When: Sat Oct 26 03:41:18 PDT 2002
Responsible-Changed-Why:
I'm not Mr Ftpd any more
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.