Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
Subject: minor ftp mput vulnerability
X-RT-Original-Encoding: iso-8859-1
Content-Length: 678

Related to 1351, but less urgent, there are a couple issues in ftp's
mput command we could fix up.

1) If "mput *" is done in a directory containing a file named "-" or a
file name starting with "|", they'll be treated as special names (stdin
and run-command respectively).  This is probably not what would be intended.

2) If mput is used in proxy mode, the globbing is not done locally, so a
compromised server could send back special file names, even for a
pattern that wouldn't normally match those names.

Presumably in (1) the user has some clue what files exist locally if
she's trying to send them, and for (2), I don't know that we care that
much about proxy support...