Summary
The FTP path resolution function does not enforce root directory boundaries, and uses unbounded sprintf() throughout.
Affected Files
src/ftpfqn.c:176-254 (resolve_path)src/ftpfqn.c lines 35, 52, 62, 73, 89, 108, 112, 120, 124, 140, 150, 153
Details
Path traversal
while (p = strstr(path, "/..")) {
/* normalizes but does not enforce root boundary */
}An attacker can escape the FTP root directory with CWD ../../etc.
Buffer overflows
Multiple sprintf() calls combine working directory and user input without bounds checking:
sprintf(buf, "%s%s", ftpc->cwd, in);
sprintf(buf, "%s.%s", ftpc->cwd, in);
sprintf(out, "%s/%s", ftpc->ufs->cwd->path, buf);
Fix
- After path resolution, verify the canonical path starts with the configured FTP root.
- Replace all
sprintf() with snprintf().
Severity
CRITICAL — path traversal + buffer overflow, both exploitable via FTP commands.
Summary
The FTP path resolution function does not enforce root directory boundaries, and uses unbounded
sprintf()throughout.Affected Files
src/ftpfqn.c:176-254(resolve_path)src/ftpfqn.clines 35, 52, 62, 73, 89, 108, 112, 120, 124, 140, 150, 153Details
Path traversal
An attacker can escape the FTP root directory with
CWD ../../etc.Buffer overflows
Multiple
sprintf()calls combine working directory and user input without bounds checking:Fix
sprintf()withsnprintf().Severity
CRITICAL — path traversal + buffer overflow, both exploitable via FTP commands.