Home | History | Annotate | Download | only in ftpd
History log of /src/libexec/ftpd/ftpcmd.y
RevisionDateAuthorComments
 1.96  16-Feb-2024  jkoshy Remove obsolete code.

Per src/doc/CHANGES.prev support for the NI_WITHSCOPEID flag was removed
in NetBSD 1.6.
 1.95  22-Sep-2023  shm Add missing check_login checks for MLST and MLSD
 1.94  10-Aug-2015  shm branches: 1.94.8; 1.94.18; 1.94.26;
Use explicit_memset(3) instead of memset(3) to clear password
 1.93  16-Sep-2011  plunky NULL does not need a cast, here
 1.92  01-Jul-2011  joerg Fix memcpy usage.
 1.91  14-Jan-2011  christos PR/44390: Paul Koning: make code gcc-4.5.1 friendly.
 1.90  13-Jul-2009  roy Rename internal getline() function to get_line() so it does
conflict with the soon to be added getline(3) libc function.
 1.89  15-Mar-2009  lukem Fix WARNS=4 issues (const & sign mismatches, etc)
Ensure various ftpd.conf values can't exceed their underlying types.
 1.88  13-Sep-2008  lukem branches: 1.88.6;
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.org>
 1.87  28-Apr-2008  martin branches: 1.87.2;
Remove clause 3 and 4 from TNF licenses
 1.86  22-Jul-2007  lukem branches: 1.86.10; 1.86.12;
Rename HAVE_SOCKADDR_SA_LEN to HAVE_STRUCT_SOCKADDR_SA_LEN.
Use defined(HAVE_foo) instead of just testing HAVE_foo.
 1.85  10-May-2007  lukem Replace references from draft-ietf-ftpext-mlst-NN to RFC 3659.
 1.84  01-Feb-2006  christos branches: 1.84.4; 1.84.8;
debug -> ftpd_debug
xstrdup -> ftpd_strdup
 1.83  03-Mar-2005  ginsbach branches: 1.83.2; 1.83.4; 1.83.6;
* Add hidesymlinks configuration option
This adds a -L to all ls command arguments so that the file or directory
the link references is listed rather than the link itself. This was
inspired by IRIX ftpd's -S option.
[Discussed with lukem some time ago.]
* Crank version.h [right Luke? :-)]
 1.82  05-Jan-2005  lukem Reorder some declarations so that parsers generated by bison can compile.
Fix from Michael Richardson.
 1.81  05-Nov-2004  dsl Add (unsigned char) cast to ctype functions
 1.80  09-Aug-2004  lukem Fixes from (or inspired by) OpenBSD:
* Fix yacc parser error recovery so that setjmp(3)/longjmp(3) is unnecessary.
* Fix SIGURG handler to set an urgflag that's later tested, rather than
abusing setjmp(3)/longjmp(3).
* Use "volatile sig_atomic_t" as the type of variables modified by sig handlers.
* Use sigaction(3) instead of signal(3) to set the signal handlers.
* Only set the main SIGALRM handler once. If we need to change it,
cache the old handler and restore appropriately...
* Remove a bunch of signal races by improving the signal handlers.
* Fix memory leak with 'ESPV ALL'.

My stuff:
* Clean up the debug message in reply(); use vsnprintf(3) instead of vsyslog(3).
* Rework parsing of OOB commands to _not_ use the yacc parser, since the
latter isn't reentrant and the hacks to work around that are ugly.
We now examine urgflag at appropriate locations and call handleoobcmd()
if it's set. Since the only OOB commands we currently implement are
ABOR and STAT, this isn't an issue. (I also can't find the reference in
RFC2228 where MIC, CONF & ENC are OOB-only commands. Go figure.)
I could clean up the is_oob stuff some more, but the remaining stuff
in ftpcmd.y is harmless and it's unnecessary churn right this moment.
 1.79  16-Jul-2004  lukem Correctly clamp illegal "SITE CHMOD" mode values. From OpenBSD.
 1.78  16-Jul-2004  lukem Fix minor memory leak with fromname. Inspired by OpenBSD.
 1.77  07-Aug-2003  agc branches: 1.77.2;
Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22284, verified by myself.
 1.76  03-Mar-2003  lukem Don't declare "yylex()" static; AFAICT it shouldn't be, and it causes
build problems with the output of some versions of yacc.
 1.75  03-Mar-2003  lukem Fix typos accidentally introduced in rev 1.70 as part of the large
number support.
(NetBSD yacc didn't barf on these, although Solaris and HP/UX's did...)
 1.74  24-Feb-2003  lukem use LLT and STRTOLL() instead of off_t and strtoull() for parsing the
"larger than int" arguments from commands. improves portability.
 1.73  22-Jan-2003  lukem Fixes from Dmitry Sivachenko <demon@freebsd.org>:
- always set "curname" to something appropriate (even when logging is
not in effect).
- fix usage for "PORT" command
 1.72  29-Nov-2002  lukem - convert to using libc's strsuftoll(3)
- use LLT (aka 'long long type') for all numeric class parameters
- improve description of various ftpd.conf(5) options
- statcmd(): print out: mmapsize readsize writesize sendbufsize sendlowat
 1.71  12-Oct-2002  darrenr * enclose unknown command strings inside a pair of 's to clearly mark the
text as being the 'whole' part received.
* change a HELP reply from 214 to 504 when there is an error looking for
help on a command.
 1.70  02-Jul-2002  lukem - Change lexer to support numbers > 2^31-1 (stored in an off_t), and allow
RESTart to use the larger numbers.
Fix from Maxim Konovalov <maxim@freebsd.org>
- Update version
- Minor whitespace changes
 1.69  30-Jun-2002  tv We really, actually, positively want to apply the ftpd.conf "passive"
option to all possible *PSV commands. Some ftp servers are simply not
capable of passive connections, hence the option....
 1.68  15-Jun-2002  lukem crank copyright
 1.67  15-Jun-2002  lukem Implement "SITE UMASK" `enabled command' check with (modified)
check_write(), so that a user who has modify disabled gets an error
message rather than a hung connection.
Noted by M.J. Rutter <mjr19@cus.cam.ac.uk> in private email.
 1.66  01-Dec-2001  lukem branches: 1.66.2;
- enable case insensitive fnmatch(3)ing for hostname globs in ftpusers(5)
- enable WARNS=2
 1.65  25-Apr-2001  lukem crank copyrights of files changed this year
remove superfluous byte_count update in send_file_list
crank version
 1.64  17-Apr-2001  lukem use own code instead of bother with glob() to do ~ expansion in pathname;
there's no need to support glob wildcards in this case when it's not expanded
here in the non-~ case
 1.63  17-Apr-2001  lukem limit the number of matches in a ~ pathname glob, and complain if more
than one path is matched.
 1.62  12-Apr-2001  lukem minor knf post aidan's oob rototill
 1.61  10-Apr-2001  itojun make checkportcmd address family independent, and correct IPv4 case. PR 12558.
 1.60  01-Apr-2001  aidan As threatened, handle OOB commands from within ftpcmd.y.
This involved changing the yacc syntax to be line-oriented, rather than
having it run against the entire input at once, and adding a flag to
struct tab, to indicate if or not it's acceptable for a command to occur
OOB.
 1.59  18-Dec-2000  lukem Features:

* Add ftpd.conf(5) directive `advertise'; change the address that is
advertised to the client for PASV transfers. this may be useful in
certain firewall/NAT environments.

Feature requested in [bin/9606] by Scott Presnell.

* Add -X option; syslog wu-ftpd style xferlog messages, prefixed with
`xferlog: '. An example line from syslog (wrapped):
Dec 16 18:50:24 odysseus ftpd[571]: xferlog: Sat Dec 16 18:50:24 2000
2 localhost 3747328 /pub/WLW2K601.EXE b _ o a lukem@ FTP 0 * c

These messages can be converted to a wu-ftpd style xferlog file
suitable for parsing with third-party tools with something like:
grep 'xferlog: ' /var/log/xferlog | \
sed -e 's/^.*xferlog: //' >wuxferlog

The format is the same as the wu-ftpd xferlog entries (with the leading
syslog stuff), but different from the wu-ftpd syslogged xferlog entries
because the latter is not as easy to convert into the standard xferlog
file format.

The choice to only syslog the xferlog messages rather than append to
a /var/log/xferlog file was made because the latter doesn't work to
well in the situation where the logfile is rotated and compressed and
a long-running ftpd still has a file-descriptor to the now nonexistant
xferlog file, and the log message will then get lost.

Feature requested in [bin/11651] by Hubert Feyrer.


Fixes:

* In ftpd(8), clarify the -a and -c options.

* More clarifications in ftpd.conf(5).

* Ensure that all ftpd.conf commands set a parameter back to sane defaults
if an argument of `none' or bad settings are given.

* Support the `chroot' directive for `REAL' users too (for consistency).

* For `GUEST' users, store the supplied password in pw->pw_passwd for use
later in the xferlog.

* If show_chdir_messages() is given a code of -1, flush the cache of
visited directories. Invoke show_chdir_messages(-1) in end_login().

* Only syslog session stats if logging is requested.

* Rename logcmd() -> logxfer(), and dolog() -> logremotehost().

* Use cprintf() instead of fprintf() where appropriate.

* Minor KNF, and make a couple of functions static that were declared static.
 1.58  30-Nov-2000  lukem - move password checking into separate valid_passwd() function, to assist
in porting to other systems.
- don't syslog() or setproctitle() "ACCT" lines (as per "PASS")
- replace #ifdef HASSETPROCTITLE with #if HAVE_SETPROCTITLE, and set the
latter #ifdef BSD4_4
- don't compile in internal `ls' #ifdef NO_INTERNAL_LS. will need Makefile
support if this is to be used on NetBSD.
 1.57  28-Nov-2000  lukem - ensure all uses of AF_INET6 are wrapped in #ifdef INET6
- don't define `ALL' as a token twice in the grammar
 1.56  16-Nov-2000  lukem - new ftpd.conf directives:
maxfilesize set the maximum size of uploaded files
sanenames if set, only permit uploaded filenames that contain
characters from the set "-+,._A-Za-z0-9" and that
don't start with `.'

- new/changed command line options:
-e emailaddr define email address for %E (see below)
-P dataport use dataport as the dataport (instead of ctrlport-1)
-q use pid files to count users [default]
-Q don't use pid files to count users
-u write entries to utmp
-U don't write entries to utmp [default]
-w write entries to wtmp [default]
-W don't write entries to wtmp

NOTE: -U used to mean `write utmp entries'. Its meaning has changed
so that it's orthogonal with -q/-Q and -w/-W. This isn't
considered a major problem, because using -U isn't going to
enable something you don't want, but will disable something
you did want (which is safer).

- new display file escape sequences:
%E email address
%s literal `s' if the previous %M or %N wasn't ``1''.
%S literal `S' if the previous %M or %N wasn't ``1''.

- expand the description of building ~ftp/incoming to cover the
appropriate ftpd.conf(5) directives (which are defaults, but it pays
to explicitly explain them)

- replace strsuftoi() with strsuftoll(), which returns a long long if
supported, otherwise a long

- rework the way that check_modify and check_upload are done in the yacc
parser; they're merged into a common check_write() function which is
called explicitly

- merge all ftpclass `flag variables' into a single bitfield-based flag element

- move various common bits of parse_conf() into a couple of macros

- clean up some comments
 1.55  15-Nov-2000  lukem changes to improve portability:
* replace union sockunion {} with struct sockinet {}, and modify the code
accordingly. this is possibly more portable, as it doesn't rely upon
the structure alignment within the union for our own stuff. uses local
su_len unless HAVE_SOCKADDR_SA_LEN is defined (set ifdef BSD4_4)
(XXX: haven't tested the ipv6 stuff)
* always use getaddrinfo() and getnameinfo() instead of maintaining two code
paths. (lukemftpd will provide replacements for these on older systems)
* use lockf() instead of open(.., O_EXLOCK) to lock the pid file
* minor KNF
* clean up long long support: create helper #defines and use as appropriate:
#define NO_LONG_LONG ! NO_LONG_LONG
------- ------------ --------------
LLF "%ld" "%lld"
LLFP(x) "%" x "ld" "%" x "lld"
LLT long long long
ULLF "%lu" "%llu"
ULLFP(x) "%" x "lu" "%" x "llu"
ULLT unsigned long unsigned long long
STRTOLL(x,y,z) strtol(x,y,z) strtoll(x,y,z)
 1.54  13-Nov-2000  itojun - improve RFC2428 conformance.
return 522 on unknown protocol identifier on EPRT.
- clarify EPSV/EPRT/LPSV/LPRT behavior.
- repair memory leak and lack of boundary check on EPRT.
- make sure we do not resolve DNS on EPRT.
sync with kame.
 1.53  15-Sep-2000  christos Make this compile again without -DINET6 and without get{addr,name}info(3)
This ftpd now compiles and runs on NetBSD/1.4.2 with:

CPPFLAGS+= \
'-Dstrlcpy(a,b,c)=(strncpy(a,b,c),strlen(a))' \
'-Dstrlcat=strncat' \
'-Dsl_add(a,b)=(sl_add(a,b),0)'
 1.52  23-Jul-2000  lukem * make checkportcmd the default. this breaks third-party proxy ftp but
prevents the ftp bounce attack, and we should be secure out of the
box, not require users to tweak obscure stuff.
* allow the version string reported to clients to be changed with '-V vers'.
if vers is empty or `-', don't report a version.
* if -r is given, permanently drop root privs
* if not a REAL user (i.e, GUEST or CHROOT), and ftpd is running on a port
> IPPORT_RESERVED+1, permanently drop root privs
* don't bother reverting to root privs to logout of wtmp/utmp; since the
file descriptor is already open this isn't necessary.
* fix the binding of the port for the PORT/LPRT/EPRT connection to be the
ctrl_addr.su_port-1, not hardcoded to `20' (this was broken in the ipv6
merge). if root privs have been dropped, and this would be a port <
IPPORT_RESERVED, use a random port instead (which isn't RFC959 compliant
but it doesn't appear that many clients care).
* prevent login of a new user if privs have been dropped and already logged
in as a REAL user (existing check already stops GUEST & CHROOT users).
* move the port check stuff into a separate port_check() function, and use
for PORT, LPRT, and EPRT checks. inspired by freebsd
* minor KNF
* minor man page cleanup
 1.51  17-Jul-2000  lukem * add two new ftpd.conf(5) directives:
chroot specify dir to chroot to for GUEST and CHROOT users, to
override -a anondir or the user's homedir.
homedir specify dir to change to upon login; also used for ~ expansion
and $HOME for subprocesses)
both of these can take % escapes: %u (username), %d (homedir), %c (class).
* fix NLST to take a pathname not a STRING, so that ~ expansion works
* modify CWD to use the homedir parsed from curclass.homedir
* implement format_path(dst, src), to parse src expanding % escapes (see above)
into dst.
* rename format_file() to display_file()
 1.50  15-Jul-2000  lukem * add -H, which acts like -h `hostname`. (requested by kim@)
* refer to draft-ietf-ftpext-mlst-11 instead of -10
 1.49  08-Jul-2000  sommerfeld More format paranoia.
 1.48  19-Jun-2000  lukem branches: 1.48.2;
various fixes suggested by Robert Elz:
* implement closedataconn() and use appropriately (including in mlsd())
* only put leading space in front of MLST output (not MLSD output)
* MLSD: only output pdir and cdir entries when the type fact is requested.
* change error code for giving MLSD a non-directory from 550 to 501
* remove MLSx Type fact support for UNIX.* for now; it's not standardised yet.
* do a check_login when MLSD and MLST are given no args
* detect & complain about null facts in OPTS MLST
* cache getgroups() at login instead of calling each time in fact_perm()

other mods:
* implement cprintf(); as per fprintf() but increments total_bytes{,_out}
* implement CPUTC(); as per putc() but increments total_bytes{,_out}
* implement base64_encode()
* fact_unique() display base64 encoding of dev_t and ino_t rather than
hex output; should scale if size of those changes
* change reply() so that a negative code acts as the initial line in a reply,
code == 0 prefixes the line with 4 spaces, and code > 0 works as before.
deprecate lreply(code, ) and lreply(0, ) in favour of reply(-code, ) and
reply(0, ) respectively.
* use cprintf() and CPUTC() appropriately (often instead of printf(),
lreply(-2, ) or lreply(-1, ).
now we actually account for the data sent by MLST and MLSD.
* remove DEBUG support for sending MLSD output to control connection instead
of data connection (my ftp client now supports MLSD :-)
 1.47  14-Jun-2000  lukem major overhaul (just before netbsd 1.5 :-):

* implement draft-ietf-ftpext-mlst-10 commands, especially MLST and MLSD.
we already supported SIZE and MDTM. add the appropriate FEAT output lines.

* migrate a lot of the command code from ftpcmd.y and ftpd.c to cmds.c

* make dataconn(), feat(), lookup(), opts() and sizecmd() public

* modify struct tab so that it has a `flags' instead of `implemented' element,
and remove the `hasopts' element. If flags == 1, the command is implemented.
if flags == 2, the command is implemented and takes options

* add macros ISDOTDIR(x) (is x ".") and ISDOTDOTDIR(x) (is x "..")

* modify lreply() so that lreply(-2, ...) just outputs the given info without
a prefix or trailing \r\n. this saves doing b = printf(); total_* += b;

* enhance statcmd(). still needs work in the LPRT status stuff.

* crank version
 1.46  20-May-2000  lukem branches: 1.46.2;
convert to ANSI C as per style guide
 1.45  05-Mar-2000  lukem * don't bother with a version[] string, just use the macro as appropriate
* clean some more of the GLOBAL stuff
* fix unused var if -UHASSETPROCTITLE
 1.44  12-Jan-2000  lukem * add ftpd.conf directive `portrange class min max', which allows specification
of the port range used by passive connections. based on work in [bin/9158]
from Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
* change the way global variables are defined and extern-ed to be more
consistent.
 1.43  21-Dec-1999  lukem trivial simplification
 1.42  18-Dec-1999  lukem * move version to separate header file
* use .Dv and .Tn in the man pages as appropriate
* KNF a bit

The following were inspired by similar changes in openbsd, but may
have additional improvements by me:
* add more check_login tests to the parser rules
* nuke a few memory leaks in the parser rules
* clear passwords before free()ing them, for safety
* don't display \r\n in setproctitle() output
* add support for -U, which enables managing /var/run/utmp entries for
connections. solves [bin/2217] by Jason Downs <downsj@teeny.org>
* fix oob handling for STAT command
* use SIG_ERR instead of -1
 1.41  12-Dec-1999  lukem * change format of /etc/ftpusers lines from
userglob [allow|deny]
to
userglob[@host] [allow|deny [classname]]
where class is a userdefined classname.
- if host is given it may either be a CIDR address (e.g, `1.2.3.0/24') or a
hostglob (e.g, `*.foo.com'), and the remote host is matched against that.
- if classname is given, use that to match entries in ftpd.conf (defaults
to `guest' for `anonymous'/`ftp' logins, `chroot' for users found in
/etc/ftpchroot, and `real' for everyone else.

* implement new /etc/ftpd.conf directives:
classtype classname type set type of classname to GUEST, CHROOT, or REAL
motd classname file file to use instead of /etc/motd
rateget classname rate set rateget throttle to rate
rateput classname rate set rateput throttle to rate
upload classname allow/deny uploads (STOU, STOR, APPE). if
denied, also acts as `modify deny'.

* implement new `SITE' commands:
RATEGET as per /etc/ftpd.conf rateget, but cannot exceed that
RATEPUT as per /etc/ftpd.conf rateput, but cannot exceed that

* implement format_file(), which outputs a file to the user, parsing %
escapes. use to print /etc/ftpwelcome, /etc/motd, and the `display' file.

* implement strsuftoi() (from ftp(1)), which parses a number and
optional suffix (for use with rateget, etc)

* don't bother seteuid(0) ; bind(...) ; seteuid(pw->pw_uid), since
we don't need reserved ports (at wasn't getting them anyway).

* update & reorder copyrights

* use strlcpy() as appropriate
 1.40  07-Dec-1999  lukem * change ftpd_popen() to take char *argv[] instead of char *cmd.
the string tokenisation must be performed by the caller (which is
generally easy because it's almost always a static command).
* change do_conversion() to return a char *argv[] instead of char *cmd.
tokenisation of the command is done internally.
* change retrieve() to take char *argv[] instead of char *cmd.
(to take advantage of the above changes). fixes [bin/8173]
* use fparseln() instead of fgetln()
* store conversions in listed order (rather than reverse order)
* use stringlists instead of handrolling code to manage an argv.
 1.39  04-Oct-1999  tron Don't use undefined C expression. Patch supplied by David A. Holland
in PR bin/8534.
 1.38  06-Sep-1999  simonb branches: 1.38.2;
In the command table, remove a trailing comma and make white space
consistant.
 1.37  01-Sep-1999  itojun ftpd(8): Copy sin6_scope_id from control connection to active data
connection destination, hoping this to help ftpd's behavior with
scoped IPv6 addresses.
I'm not sure if it is the right way, but it is the best way available to us.
LPRT or EPRT command gives no information about which interface (or scope)
to be used for new data connection.

ftp(1): On data connection establishment, warn if scoped address is used.
If peer (ftp daemon) does not handle scoped address, data connection
may not work right.

This seems to be sort of protocol spec hole, not implementation issue.
 1.36  25-Aug-1999  christos Make this compile with krb5.
 1.35  11-Jul-1999  itojun more sanity check on LPRT.
 1.34  11-Jul-1999  itojun make LPRT on IPv4 work.
make LPSV on IPv6 work.
 1.33  02-Jul-1999  itojun close data socket when new EPRT command comes.
 1.32  02-Jul-1999  itojun dual-stack ftpd. run this from inetd, like:
>>ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll
 1.31  26-May-1999  lukem move stuff around, so the `thank you' message is counted in the
syslogged bytecount.
 1.30  24-May-1999  ross * Cast %q[ud] arguments to fix ILP32/LP64 off_t variation.
* Fix bug in 213 reply: correct ordering of format string args.
 1.29  24-May-1999  ross LP64ize %q use.
 1.28  18-May-1999  lukem * fix a problem in retrieve() where arguments to commands weren't working
(this was broken in the last commit). problem noticed by simonb@
* don't display the stderr output of the internal ls.
* modify usage of lreply so that generally only one `XXX-' code per
`block' is displayed; the rest of the lines have four spaces instead.
i find this easier to read.
* fix a couple places where byte accounting wasn't correct
 1.27  17-May-1999  lukem features/fixes:
* implement xferstats. full stats are displayed for `STAT', and a
summary is displayed upon exit (and syslogged). inspired by wu-ftpd.
* wrap data xfers in {send,receive}_data with alarm() timeouts. this
should remove the majority of the `hanging ftpd' problems that
people were still seeing. inspired by wu-ftpd.
* link with ../../bin/ls, so that bin/ls is not required under a
chroot()ed area for `LIST' to work. based on [bin/4497] from
"Soren S. Jorvang" <soren@t.dk>
* migrate code from util.c into ftpd.c, so that it doesn't conflict
with ls' util.c.
* remove man page comment about ~ftp/bin/ls being necessary.
* bump version to 7.2.0.
* syslog xfer time with xfer stats.
* if appropriate, syslog error message with command.

internal code stuff:
* change arguments of various functions from `char *' to `const char *'.
* define PLURAL(x) macro, which returns `' if x == 1, `s' otherwise.
use macro appropriately
* lreply(): a code of -1 means ``send line as is''. a code of 0
means ``send line with 4 space prefix''. don't print a space after
the `-' for any other code.
* logcmd(): add `const struct timeval *elapsed' and `const char *error'
for more flexible error reporting
 1.26  24-Feb-1999  explorer branches: 1.26.2;
Make this build with KERBEROS5 defined.
 1.25  05-Feb-1999  lukem * actually commit the changes which add support for recognising RFC 2228
commands (even if we don't do anything with them)
* in logcmd(), syslog why realpath() failed (if it did).
 1.24  28-Dec-1998  lukem * replace LOG(CMD|BYTES) macros with logcmd(), which is a cleaner
solution with less code replication. use realpath() in logcmd() so
that all logged filenames are sane.
* support `REST STREAM' in `FEAT' reply (from draft-ietf-ftpext-mlst-05)
* in 'HELP', suffix unimplemented commands with `-' instead of `*'; the
former is easier to differentiate from `+'.
* deprecate curdir() now that logcmd() doesn't use it.
* ensure all filename buffers are at least MAXPATHLEN+1 in size.
* move jmp_buf errcatch out of extern.h, removing need to #include <setjmp.h>
in every file.
 1.23  07-Sep-1998  lukem new features:
* implement FEAT and OPTS from RFC2389. FEAT returns SIZE and MDTM.
OPTS only works on NOOP (as a test).
* extend format of /etc/ftpchroot similar to /etc/ftpusers; each entry
can take an optional trailing `yes' or `no' which indicates if
chroot should be done (defaults to `yes').
based on patches from Ty Sarna <tsarna@endicor.com> in [bin/4769]

cleanups/bugs:
* reorder and reformat entries in yacc parser to match cmdtab[].
add a blank line between each rule.
* add short hasopts and char *options to struct tab, to support OPTS.
* deprecate upper(); use strcasecmp() instead of strcmp()
* remove unnecessary for (;;) { } in yylex();
* replace copy() and sgetsave() with xstrdup()
* fix a couple of `hasyyerrored = 1' that were accidently removed.
 1.22  06-Sep-1998  lukem * complete fix for `multiple replies returned for single parse error'
problem; move `hasyyerrored' state flag out of yylex() so that
check_{login,modify} can also set it.
* check result of check_login for PORT command
* set initial timeout before the "setjmp(); for(;;) yyparse()",
otherwise an invalid command after login incorrectly sets the timeout
to 5 minutes (rather than what was set in ftpd.conf)
* replace (char *)0 with NULL
* move yyerror() from ftpd.c to ftpcmd.y
* remove need for -Dunix, by using the version string from ftpd.c
(instead of `BSD-199506')
* move all extern-ed vars into extern.h
 1.21  05-Sep-1998  lukem * implement NOARGS state, for commands which don't take any arguments.
fixes long standing ftpd bug where two replies would be returned
to the client if a command was flagged as accepting `ARGS' but the
parser didn't know how to cope. obvious symptom of this would be
ftp client is always one error message `behind' the server.
* consistently refer to the RFC as `RFC 959' not `RFC959' or `RFC-959',
and replace refs to RFC 765 with RFC 959.
* change order of commands in cmdtab[] to: RFC 959, BSD extras, and obsolete.
* whitespace police, deprecate register, replace malloc/strcpy with strdup
 1.20  30-Jun-1998  tv Add the ability to disable passive connects in ftpd.conf (breaks RFC1123,
STD3, but needed in some firewall environments).
 1.19  21-Jun-1998  kleink GLOB_QUOTE is gone; per POSIX, backslash quoting of special characters being
enabled is the default behaviour.
 1.18  21-May-1998  lukem use TM_YEAR_BASE (not 1900) - not that we expect it to change in any case :)
 1.17  13-Feb-1998  cjs Disable RNFR command for guest users so that they can't rename (and thus
also overwrite!) files.
 1.16  11-Nov-1997  mrg oops, missed this bit in previous change.
 1.15  11-Nov-1997  mrg add a "checkportcmd <class>" option that stops ftp bounce attacks.
 1.14  24-Jun-1997  hannken branches: 1.14.2;
Add missing braces. `check_modify' returns 0 without a reply. See PR #3779.
 1.13  18-Jun-1997  christos - Pass gcc -Wall
- Fix incorrect const poisoning
- Fix ftpd_popen to dynamically allocate strings to avoid buffer overruns.
 1.12  14-Jun-1997  lukem * implement /etc/ftpd.conf, which adds support for the following features,
controllable on a per class (which is one of: real, chroot, guest,
all or none) basis:
* on-the-fly execution of a command to build the file (a ``conversion''),
providing support for "get dirname.tar" and the like.
* displaying the contents of a file when a directory is entered
for the first time.
* maximum value for timeout (replaces -T).
* control usage of CHMOD, DELE, MKD, RMD, UMASK; replacing -DINSECURE_GUEST.
* notifying the user of the existance of a files matching a glob
pattern when a directory is entered for the first time.
* default value for timeout (replaces -t).
* default umask (replaces -DGUEST_CMASK and -u).
The conversion, display, and notify functionality was based on code by
Simon Burge <simonb@telstra.com.au>.
* clean up and re-order parts of the man page into subsections.
* STAT displays the settings defined for the class of the current user.
* bump version from 6.00 to 7.00, because of ftpd.conf.
* deprecate -DGUEST_CMASK and -DINSECURE_GUEST in the Makefile, and
-t, -T and -u, as ftpd.conf allows finer control of these.
* add "nostderr" argument to ftpd_popen(), because you don't want the
stderr stream mixing with the stdout stream during a conversion,
as this can corrupt the stream.
 1.11  23-May-1997  cjs Allow setting the directory to which anonymous users chdir from
the command line. Document -u option. A couple of minor cleanups.
 1.10  17-May-1997  pk NULL => 0 (Arne Juul; PR#3629)
 1.9  27-Apr-1997  lukem * fix "cd ~" so that it works (from Simon Burge <simonb@telstra.com.au>
* move resetting of CFLAGS on powerpc to before optional CFLAGS settings
* minor code & man page cleanups
 1.8  30-Mar-1997  cjs Changes to make anonymous uploads more secure. For anonymous users:
* Set umask to 707;
* Disable UMASK, CHMOD, DELE, RMD and MKD commands.
Compile-time options let you change that umask and go back to the
old, insecure way if you like.
 1.7  08-Apr-1996  jtc Changed to use 1900 + tm_year instead of hardcoding "19" as the century.
From PR #2308 by Stephen J. Roznowski <sjr@zombie.ncsc.mil>.
 1.6  03-Jun-1995  mycroft Fill in sin_len.
 1.5  11-Apr-1995  cgd clean up RCS Id's and a couple of stype nits.
Also, fix bug 947 (reported by Luke Mewburn, extraneous vers.c)
 1.4  29-Jun-1994  deraadt 4.4-lite, plus our local changes
 1.3  14-Apr-1994  cgd use setproctitle
 1.2  01-Aug-1993  mycroft Add RCS identifiers.
 1.1  21-Mar-1993  cgd branches: 1.1.1;
Initial revision
 1.1.1.2  29-Mar-1997  cjs Lite-1 Import.
 1.1.1.1  21-Mar-1993  cgd initial import of 386bsd-0.1 sources
 1.14.2.3  14-Feb-1998  mellon Fix RNFR exploit
 1.14.2.2  11-Nov-1997  mrg weird. fix error in previous.
 1.14.2.1  11-Nov-1997  mrg pull up from trunk: add a "checkportcmd <class>" option that stops ftp bounce attacks.
 1.26.2.1  05-Oct-1999  he Pull up revision 1.39 (requested by tron):
Don't use an undefined C expression, fixing PR#8534.
 1.38.2.1  27-Dec-1999  wrstuden Pull up to last week's -current.
 1.46.2.1  22-Jun-2000  minoura Sync w/ netbsd-1-5-base.
 1.48.2.3  26-Aug-2004  jmc Pullup rev 1.60-1.80 (requested by he in ticket #158)

Update to NetBSD ftpd 20040809. Fixes SA#2004-009.
 1.48.2.2  29-Mar-2001  lukem sync ftpd to -current with the following revisions (for lukem/christos):
Makefile 1.43-1.44
cmds.c 1.7-1.8, 1.10-1.12
conf.c 1.35-1.40
extern.h 1.32-1.38
ftpcmd.y 1.53-1.59
ftpd.8 1.58-1.63
ftpd.c 1.102-1.104, 1.106-1.122
ftpd.conf.5 1.12-1.15
ftpusers.5 1.8
logwtmp.c 1.16
popen.c 1.23-1.25
version.h 1.28

a quick summary of user-visible changes;
- fix glob DoS by using GLOB_LIMIT
- add ftpd.conf directives `advertise', `maxfilesize', `sanenames'
- add flags: -P dataport, -X - wuftpd style log entries,
-q/-Q - (en|dis)able pidfiles, -u/-U - (en|dis)able utmp,
-w/-W - (en|dis)able wtmp
 1.48.2.1  25-Jul-2000  lukem user visible changes (besides checking the cvs log):
* make checkportcmd the default
* add -r; force permanent drop of root privs after login
* add -V vers; change version string to vers
* add -H; act as -h `hostname`
* permanently drop root privs if it makes sense to do so (e.g; logging in as
guest/chroot user on a port > 1024)
* fix reference to draft-ietf-ftpext-mlst-11
* add ftpd.conf directives: chroot, homedir
* fix base64_encode() and generation of the unique fact
* crank version to 20000723
 1.66.2.3  31-Aug-2004  jmc Pullup rev 1.68,1.70-1.80 (requested by he in ticket #1739)

Update to NetBSD ftpd 20040809. Fixes SA#2004-009.
 1.66.2.2  06-Nov-2002  tron Pull up revision 1.69 (requested by tv in ticket #418):
We really, actually, positively want to apply the ftpd.conf "passive"
option to all possible *PSV commands. Some ftp servers are simply not
capable of passive connections, hence the option....
 1.66.2.1  15-Jun-2002  lukem Pull up revision 1.67 (requested by lukem in ticket #282):
Implement "SITE UMASK" `enabled command' check with (modified)
check_write(), so that a user who has modify disabled gets an error
message rather than a hung connection.
Noted by M.J. Rutter <mjr19@cus.cam.ac.uk> in private email.
 1.77.2.3  12-Aug-2004  jmc Pullup rev 1.80 (requested by lukem in ticket #757)

* Fix yacc parser error recovery so that setjmp(3)/longjmp(3) is unnecessary.
* Fix SIGURG handler to set an urgflag that's later tested, rather than
abusing setjmp(3)/longjmp(3).
* Use "volatile sig_atomic_t" as the type of variables modified by sig handlers.
* Use sigaction(3) instead of signal(3) to set the signal handlers.
* Only set the main SIGALRM handler once. If we need to change it,
cache the old handler and restore appropriately...
* Remove a bunch of signal races by improving the signal handlers.
* Fix memory leak with 'ESPV ALL'.
* Clean up the debug message in reply(); use vsnprintf(3) instead of vsyslog(3).
* Rework parsing of OOB commands to _not_ use the yacc parser, since the
latter isn't reentrant and the hacks to work around that are ugly.
We now examine urgflag at appropriate locations and call handleoobcmd()
if it's set. Since the only OOB commands we currently implement are
ABOR and STAT, this isn't an issue.
 1.77.2.2  12-Aug-2004  jmc Pullup rev 1.79 (requested by lukem in ticket #756)

Correctly clamp illegal "SITE CHMOD" mode values.
 1.77.2.1  12-Aug-2004  jmc Pullup rev 1.78 (requested by lukem in ticket #755)

Fix minor memory leak with fromname.
 1.83.6.1  18-Sep-2008  bouyer Pull up following revision(s) (requested by lukem in ticket #1964):
libexec/ftpd/ftpd.c: revision 1.187 via patch
libexec/ftpd/extern.h: revision 1.58 via patch
libexec/ftpd/ftpcmd.y: revision 1.88 via patch
libexec/ftpd/version.h: patch
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.o=
rg>
 1.83.4.1  18-Sep-2008  bouyer Pull up following revision(s) (requested by lukem in ticket #1964):
libexec/ftpd/ftpd.c: revision 1.187 via patch
libexec/ftpd/extern.h: revision 1.58 via patch
libexec/ftpd/ftpcmd.y: revision 1.88 via patch
libexec/ftpd/version.h: patch
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.o=
rg>
 1.83.2.1  18-Sep-2008  bouyer Pull up following revision(s) (requested by lukem in ticket #1964):
libexec/ftpd/ftpd.c: revision 1.187 via patch
libexec/ftpd/extern.h: revision 1.58 via patch
libexec/ftpd/ftpcmd.y: revision 1.88 via patch
libexec/ftpd/version.h: patch
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.o=
rg>
 1.84.8.1  18-Sep-2008  bouyer Pull up following revision(s) (requested by lukem in ticket #1202):
libexec/ftpd/ftpd.c: revision 1.187
libexec/ftpd/extern.h: revision 1.58
libexec/ftpd/version.h: patch
libexec/ftpd/ftpcmd.y: revision 1.88
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.o=
rg>
 1.84.4.1  18-Sep-2008  bouyer Pull up following revision(s) (requested by lukem in ticket #1202):
libexec/ftpd/ftpd.c: revision 1.187
libexec/ftpd/extern.h: revision 1.58
libexec/ftpd/version.h: patch
libexec/ftpd/ftpcmd.y: revision 1.88
Don't split large commands into multiple commands; just fail on them.
This prevents CSRF-like attacks, when a web browser is used to access
an ftp server.
Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.
Fix mostly derived from OpenBSD, written by Moritz Jodeit <moritz@OpenBSD.o=
rg>
 1.86.12.2  22-Jul-2007  lukem Rename HAVE_SOCKADDR_SA_LEN to HAVE_STRUCT_SOCKADDR_SA_LEN.
Use defined(HAVE_foo) instead of just testing HAVE_foo.
 1.86.12.1  22-Jul-2007  lukem file ftpcmd.y was added on branch matt-mips64 on 2007-07-22 05:06:46 +0000
 1.86.10.1  18-May-2008  yamt sync with head.
 1.87.2.1  24-Sep-2008  wrstuden Merge in changes between wrstuden-revivesa-base-2 and
wrstuden-revivesa-base-3.
 1.88.6.1  13-May-2009  jym Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
 1.94.26.1  02-Oct-2023  martin Pull up following revision(s) (requested by lukem in ticket #386):

libexec/ftpd/ftpcmd.y: revision 1.95

Add missing check_login checks for MLST and MLSD
 1.94.18.1  02-Oct-2023  martin Pull up following revision(s) (requested by lukem in ticket #1740):

libexec/ftpd/ftpcmd.y: revision 1.95

Add missing check_login checks for MLST and MLSD
 1.94.8.1  03-Oct-2023  martin Pull up following revision(s) (requested by lukem in ticket #1904):

libexec/ftpd/ftpcmd.y: revision 1.95

Add missing check_login checks for MLST and MLSD

RSS XML Feed