[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-linux-e
Subject:    Re: [SLE] proftpd problem: "Forbidden filename"
From:       Christopher Mahmood <ckm () suse ! com>
Date:       2002-06-03 17:59:19
[Download RAW message or body]

* David List (david@davidlist.dk) [020603 09:45]:
> However, it only works when I disable the PathAllowFilter directive in 
> /etc/proftpd.conf.
> I have not altered the suggestion for the PathAllowFilter directive that 
> was already in the file after installing the SuSE Linux 7.3 proftpd 
> package. It looks like this:
> PathAllowFilter ".*/[a-zA-Z0-9]+$"
> When I try uploading a file simply named 'test' I get the "Forbidden 
> filename" message again.

'./test' should work.  Kind of a strange regex there, especially
since it allows names like
        ../../../../../libc.so.6
If you had a script that automatically removed files from the
writable directory but ran outside of the chroot you could be in for
a nasty surprise :)

Something a little safer might be
        '^[a-zA-Z0-9\.\-]+$'
That is, the start of the record, any number of alphanumeric
characters, '.', and '-', and the end of the record.  The clinically 
paranoid might limit the filename length as well:
        '^[a-zA-Z0-9\.\-]{1-20}$'
which would be at least one character but no more than 20.
        

-- 

-ckm

-- 
To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com
For additional commands send e-mail to suse-linux-e-help@suse.com             
Also check the archives at http://lists.suse.com     

[prev in list] [next in list] [prev in thread] [next in thread]