Bug in ftp "get" command (4.2 ftp)

[terryl at tekchips.UUCP]

     There is a bug in the way ftp validates pathnames for the "get" command.
In the file ftp.c, in the routine recvrequest(), the code looks something like
this:


	if (strcmp(local, "-") && *local != '|')
		if (access(local, 2) < 0) {
			char *dir = rindex(local, '/');

			if (dir != NULL)
				*dir = 0;
/* WRONG!! */		if (access(dir ? dir : ".", 2) < 0) {
				perror(local);
				goto bad;
			}
			if (dir != NULL)
				*dir = '/';
		}

     First ftp tries to see if the user has write access to the full pathname;
if not, then ftp tries to see if the user has write access to the directory the
file will go in. It is this test that is done wrong; as one can see from the
above code, if the pathname has at least one '/' in it, then the last '/' is
zero'd out to get the directory component of the name. But it passes a pointer
to this zero'd out portion of the pathname to access() to validate the user
has write access to the directory, essentially a null pathname. A null pathname
refers to the current directory under 4.2. Now, if the user is in a directory
that he does not have write permission to, AND he does not have write permission
to the file he is trying to transfer (or more commonly, the file does not exist
yet), then ftp will report "Permission denied.", even though he may have write
permission to the target directory and the file really doesn't exist yet. To
fix this, change the line marked /* WRONG!! */ to below:

			if (access(dir ? local : ".", 2) < 0) {

and everything should be hunky-dory. It looks like this bug has been in there
for quite a while. The 4.2 release we have is dated 7/26/83 version 4.11; we
have sources going back to 2/25/83 version 4.4, and they both have the same bug.


				Terry Laskodi
				     of
				Tektronix