[erlang-questions] inets / tftpd bug and patch
Pete Kazmier
pete-expires-20060401@REDACTED
Sun Oct 1 07:49:56 CEST 2006
I've just discovered the tftpd server in inets and have replaced the
standard tftp daemon included on my linux box. It took a bit before
I discovered the 'root_dir' option to tftp_file callback module. In
case anyone is curious, I invoke it as:
tftp:start([{callback, {".*", tftp_file, [{root_dir, "/tftpboot"}]}}]).
This should limit all access to the "/tftpboot" directory; however, I
believe there is a bug in tftp_file:filename_join/2. This function is
used to merge root_dir with the client-supplied filename to ensure the
client does not affect other parts of the filesystem. For example:
1> filename_join("/tftpboot", "file.txt").
"/tftpboot/file.txt"
However, if the client sends an absolute path, the root_dir is ignored
entirely:
2> filename_join("/tftpboot", "/file.txt").
"/file.txt"
And judging by the code, this was not the intent:
filename_join(Dir, Filename) ->
case filename:pathtype(Filename) of
absolute ->
[_ | RelDir] = filename:split(Dir),
filename:join([RelDir, Filename]);
_ ->
filename:join([Dir, Filename])
end.
I believe the correct version should be:
filename_join(Dir, Filename) ->
case filename:pathtype(Filename) of
absolute ->
[_ | RelDir] = filename:split(Filename), % CHANGED
filename:join([Dir | RelDir); % CHANGED
_ ->
filename:join([Dir, Filename])
end.
Included is a patch.
Thanks,
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tftp.patch
Type: text/x-patch
Size: 595 bytes
Desc: Patch for tftp_file
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20061001/449452e0/attachment.bin>
More information about the erlang-questions
mailing list