Prevent server-side glob(3) patterns from expanding

to a pathname that contains '\r' or '\n'.

Together with the earlier STAT bugfix, this must solve
the problem of such pathnames appearing in the FTP control
stream.

1 files changed, 17 insertions, 4 deletions

diff --git a/libexec/ftpd/ftpcmd.y b/libexec/ftpd/ftpcmd.y
index 620154699746..8dcff537c7f4 100644
--- a/libexec/ftpd/ftpcmd.y
+++ b/libexec/ftpd/ftpcmd.y
@@ -972,8 +972,10 @@ pathname
 			 */
 			if (logged_in && $1) {
 				glob_t gl;
+				char *p, **pp;
 				int flags =
 				 GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
+				int n;
 
 				memset(&gl, 0, sizeof(gl));
 				flags |= GLOB_MAXPATH;
@@ -982,11 +984,22 @@ pathname
 				    gl.gl_pathc == 0) {
 					reply(550, "wildcard expansion error");
 					$$ = NULL;
-				} else if (gl.gl_pathc > 1) {
-					reply(550, "ambiguous");
-					$$ = NULL;
 				} else {
-					$$ = strdup(gl.gl_pathv[0]);
+					n = 0;
+					for (pp = gl.gl_pathv; *pp; pp++)
+						if (strcspn(*pp, "\r\n") ==
+						    strlen(*pp)) {
+							p = *pp;
+							n++;
+						}
+					if (n == 0)
+						$$ = strdup($1);
+					else if (n == 1)
+						$$ = strdup(p);
+					else {
+						reply(550, "ambiguous");
+						$$ = NULL;
+					}
 				}
 				globfree(&gl);
 				free($1);