/* Basic FTP routines.
- Copyright (C) 1995, 1996, 1997, 1998, 2000 Free Software Foundation, Inc.
+ Copyright (C) 1996-2005 Free Software Foundation, Inc.
This file is part of GNU Wget.
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
-along with Wget; if not, write to the Free Software
-Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+along with Wget; if not, write to the Free Software Foundation, Inc.,
+51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
In addition, as a special exception, the Free Software Foundation
gives permission to link the code of its release of Wget with the
#include <stdlib.h>
#include <errno.h>
-#ifdef HAVE_STRING_H
-# include <string.h>
-#else
-# include <strings.h>
-#endif
+#include <string.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif
-#include <sys/types.h>
#include "wget.h"
#include "utils.h"
/* Get the response of FTP server and allocate enough room to handle
it. <CR> and <LF> characters are stripped from the line, and the
line is 0-terminated. All the response lines but the last one are
- skipped. The last line is determined as described in RFC959. */
+ skipped. The last line is determined as described in RFC959.
+
+ If the line is successfully read, FTPOK is returned, and *ret_line
+ is assigned a freshly allocated line. Otherwise, FTPRERR is
+ returned, and the value of *ret_line should be ignored. */
+
uerr_t
ftp_response (int fd, char **ret_line)
{
while (1)
{
+ char *p;
char *line = fd_read_line (fd);
if (!line)
return FTPRERR;
+
+ /* Strip trailing CRLF before printing the line, so that
+ escnonprint doesn't include bogus \012 and \015. */
+ p = strchr (line, '\0');
+ if (p > line && p[-1] == '\n')
+ *--p = '\0';
+ if (p > line && p[-1] == '\r')
+ *--p = '\0';
+
if (opt.server_response)
- logputs (LOG_NOTQUIET, escnonprint (line));
+ logprintf (LOG_NOTQUIET, "%s\n", escnonprint (line));
else
- DEBUGP (("%s", escnonprint (line)));
+ DEBUGP (("%s\n", escnonprint (line)));
+
+ /* The last line of output is the one that begins with "ddd ". */
if (ISDIGIT (line[0]) && ISDIGIT (line[1]) && ISDIGIT (line[2])
&& line[3] == ' ')
{
- char *p = line + strlen (line);
- if (p > line && p[-1] == '\n')
- *--p = '\0';
- if (p > line && p[-1] == '\r')
- *--p = '\0';
strncpy (ftp_last_respline, line, sizeof (ftp_last_respline));
ftp_last_respline[sizeof (ftp_last_respline) - 1] = '\0';
*ret_line = line;
{
char *res;
if (value)
- res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+ {
+ /* Check for newlines in VALUE (possibly injected by the %0A URL
+ escape) making the callers inadvertently send multiple FTP
+ commands at once. Without this check an attacker could
+ intentionally redirect to ftp://server/fakedir%0Acommand.../
+ and execute arbitrary FTP command on a remote FTP server. */
+ if (strpbrk (value, "\r\n"))
+ {
+ /* Copy VALUE to the stack and modify CR/LF to space. */
+ char *defanged, *p;
+ STRDUP_ALLOCA (defanged, value);
+ for (p = defanged; *p; p++)
+ if (*p == '\r' || *p == '\n')
+ *p = ' ';
+ DEBUGP (("\nDetected newlines in %s \"%s\"; changing to %s \"%s\"\n",
+ command, escnonprint (value), command, escnonprint (defanged)));
+ /* Make VALUE point to the defanged copy of the string. */
+ value = defanged;
+ }
+ res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+ }
else
res = concat_strings (command, "\r\n", (char *) 0);
if (opt.server_response)
/* Get greeting. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline != '2')
{
xfree (respline);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
/* An unprobable possibility of logging without a password. */
if (*respline == '2')
{
xfree (respline);
return FTPLOGREFUSED;
}
-#ifdef USE_OPIE
+#ifdef ENABLE_OPIE
{
static const char *skey_head[] = {
"331 s/key ",
pass = skey_response (skey_sequence, seed, pass);
}
}
-#endif /* USE_OPIE */
+#endif /* ENABLE_OPIE */
xfree (respline);
/* Send PASS password. */
request = ftp_request ("PASS", pass);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline != '2')
{
xfree (respline);
err = ftp_response (csock, &respline);
if (err != FTPOK)
{
- xfree (respline);
fd_close (*local_sock);
return err;
}
err = ftp_response (csock, &respline);
if (err != FTPOK)
{
- xfree (respline);
fd_close (*local_sock);
return err;
}
{
int afnum;
- assert (addr != NULL);
- assert (addr->type == IPV4_ADDRESS || addr->type == IPV6_ADDRESS);
- assert (buf != NULL);
/* buf must contain the argument of EPRT (of the form |af|addr|port|).
* 4 chars for the | separators, INET6_ADDRSTRLEN chars for addr
* 1 char for af (1-2) and 5 chars for port (0-65535) */
/* Construct the argument of EPRT (of the form |af|addr|port|). */
afnum = (addr->type == IPV4_ADDRESS ? 1 : 2);
- snprintf (buf, buflen, "|%d|%s|%d|", afnum, pretty_print_address (addr), port);
+ snprintf (buf, buflen, "|%d|%s|%d|", afnum, print_address (addr), port);
buf[buflen - 1] = '\0';
}
int nwritten;
int port;
/* Must contain the argument of EPRT (of the form |af|addr|port|).
- * 4 chars for the | separators, ENABLE_IPV6_ADDRSTRLEN chars for addr
+ * 4 chars for the | separators, INET6_ADDRSTRLEN chars for addr
* 1 char for af (1-2) and 5 chars for port (0-65535) */
char bytes[4 + INET6_ADDRSTRLEN + 1 + 5 + 1];
if (!socket_ip_address (csock, &addr, ENDPOINT_LOCAL))
return FTPSYSERR;
- assert (addr.type == IPV4_ADDRESS || addr.type == IPV6_ADDRESS);
-
/* Setting port to 0 lets the system choose a free port. */
port = 0;
if (*local_sock < 0)
return FTPSYSERR;
- /* Construct the argument of LPRT (of the form af,n,h1,h2,...,hn,p1,p2). */
+ /* Construct the argument of EPRT (of the form |af|addr|port|). */
ip_address_to_eprt_repr (&addr, port, bytes, sizeof (bytes));
/* Send PORT request. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
{
- xfree (respline);
fd_close (*local_sock);
return err;
}
assert (addr != NULL);
assert (port != NULL);
- memset (addr, 0, sizeof (ip_address));
+ xzero (*addr);
/* Form the request. */
request = ftp_request ("PASV", NULL);
/* Get the server response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline != '2')
{
xfree (respline);
assert (addr != NULL);
assert (port != NULL);
- memset (addr, 0, sizeof (ip_address));
+ xzero (*addr);
/* Form the request. */
request = ftp_request ("LPSV", NULL);
/* Get the server response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline != '2')
{
xfree (respline);
addr->type = IPV4_ADDRESS;
memcpy (ADDRESS_IPV4_DATA (addr), tmp, 4);
*port = ((tmpprt[0] << 8) & 0xff00) + tmpprt[1];
- DEBUGP (("lpsv addr is: %s\n", pretty_print_address(addr)));
+ DEBUGP (("lpsv addr is: %s\n", print_address(addr)));
DEBUGP (("tmpprt[0] is: %d\n", tmpprt[0]));
DEBUGP (("tmpprt[1] is: %d\n", tmpprt[1]));
DEBUGP (("*port is: %d\n", *port));
addr->type = IPV6_ADDRESS;
memcpy (ADDRESS_IPV6_DATA (addr), tmp, 16);
*port = ((tmpprt[0] << 8) & 0xff00) + tmpprt[1];
- DEBUGP (("lpsv addr is: %s\n", pretty_print_address(addr)));
+ DEBUGP (("lpsv addr is: %s\n", print_address(addr)));
DEBUGP (("tmpprt[0] is: %d\n", tmpprt[0]));
DEBUGP (("tmpprt[1] is: %d\n", tmpprt[1]));
DEBUGP (("*port is: %d\n", *port));
/* Get the server response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline != '2')
{
xfree (respline);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline != '2')
{
xfree (respline);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline == '5')
{
xfree (respline);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline != '3')
{
xfree (respline);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline == '5')
{
xfree (respline);
/* Get appropriate respone. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline == '5')
{
xfree (respline);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline == '5')
{
xfree (respline);
/* Get appropriate response. */
err = ftp_response (csock, &respline);
if (err != FTPOK)
- {
- xfree (respline);
- return err;
- }
+ return err;
if (*respline == '5')
{
+ err:
xfree (respline);
return FTPSRVERR;
}
and everything following it. */
strtok (respline, "\"");
request = strtok (NULL, "\"");
+ if (!request)
+ /* Treat the malformed response as an error, which the caller has
+ to handle gracefully anyway. */
+ goto err;
/* Has the `pwd' been already allocated? Free! */
xfree_null (*pwd);
err = ftp_response (csock, &respline);
if (err != FTPOK)
{
- xfree (respline);
*size = 0;
return err;
}