Skip Menu |

Subject: minor ftp mput vulnerability
Related to 1351, but less urgent, there are a couple issues in ftp's
mput command we could fix up.

1) If "mput *" is done in a directory containing a file named "-" or a
file name starting with "|", they'll be treated as special names (stdin
and run-command respectively). This is probably not what would be intended.

2) If mput is used in proxy mode, the globbing is not done locally, so a
compromised server could send back special file names, even for a
pattern that wouldn't normally match those names.

Presumably in (1) the user has some clue what files exist locally if
she's trying to send them, and for (2), I don't know that we care that
much about proxy support...