[erlang-questions] inets / tftpd bug and patch

Pete Kazmier <>
Sun Oct 1 07:49:56 CEST 2006


I've just discovered the tftpd server in inets and have replaced the
standard tftp daemon included on my linux box.  It took a bit before
I discovered the 'root_dir' option to tftp_file callback module.  In
case anyone is curious, I invoke it as:

tftp:start([{callback, {".*", tftp_file, [{root_dir, "/tftpboot"}]}}]).

This should limit all access to the "/tftpboot" directory; however, I
believe there is a bug in tftp_file:filename_join/2.  This function is
used to merge root_dir with the client-supplied filename to ensure the
client does not affect other parts of the filesystem.  For example:

1> filename_join("/tftpboot", "file.txt").
"/tftpboot/file.txt"

However, if the client sends an absolute path, the root_dir is ignored
entirely:

2> filename_join("/tftpboot", "/file.txt").
"/file.txt"

And judging by the code, this was not the intent:

filename_join(Dir, Filename) ->
    case filename:pathtype(Filename) of
        absolute ->
            [_ | RelDir] = filename:split(Dir),
            filename:join([RelDir, Filename]);
        _ ->
            filename:join([Dir, Filename])
    end.

I believe the correct version should be:

filename_join(Dir, Filename) ->
    case filename:pathtype(Filename) of
        absolute ->
            [_ | RelDir] = filename:split(Filename), % CHANGED
            filename:join([Dir | RelDir);            % CHANGED
        _ ->
            filename:join([Dir, Filename])
    end.

Included is a patch.

Thanks,
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: tftp.patch
Type: text/x-patch
Size: 595 bytes
Desc: Patch for tftp_file
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20061001/449452e0/attachment.bin>


More information about the erlang-questions mailing list