head	1.2;
access;
symbols
	RELEASE_5_0_0:1.1;
locks; strict;
comment	@# @;


1.2
date	2003.03.03.00.52.42;	author sf;	state dead;
branches;
next	1.1;

1.1
date	2002.12.11.15.58.37;	author sf;	state Exp;
branches;
next	;


desc
@@


1.2
log
@o import Debian patches.
 - fix .netrc parsing bug
 - fix 2GB limitation
 - re-add IPv6 capability
 - fix SEGV with special url line
 check debian/changelog for more detail.

o replace /usr/local with ${PREFIX} in wgetrc and info.

PR:		38824 reported 2GB limitation
Obtained from:	Debian GNU/Linux
@
text
@$OpenBSD: patch-src_ftp_c,v 1.1 2002/12/10 18:37:24 brad Exp $
--- src/ftp.c.orig	Tue Dec 10 13:08:00 2002
+++ src/ftp.c	Tue Dec 10 13:16:22 2002
@@@@ -1637,6 +1637,7 @@@@ ftp_retrieve_glob (struct urlinfo *u, cc
 {
   struct fileinfo *orig, *start;
   uerr_t res;
+  struct fileinfo *f;
 
   con->cmd |= LEAVE_PENDING;
 
@@@@ -1648,8 +1649,7 @@@@ ftp_retrieve_glob (struct urlinfo *u, cc
      opt.accepts and opt.rejects.  */
   if (opt.accepts || opt.rejects)
     {
-      struct fileinfo *f = orig;
-
+      f = orig;
       while (f)
 	{
 	  if (f->type != FT_DIRECTORY && !acceptable (f->name))
@@@@ -1661,6 +1661,18 @@@@ ftp_retrieve_glob (struct urlinfo *u, cc
 	    f = f->next;
 	}
     }
+  /* Remove all files with possible harmful names */
+  f = orig;
+  while (f)
+  {
+     if (has_invalid_name(f->name))
+     {
+	logprintf (LOG_VERBOSE, _("Rejecting `%s'.\n"), f->name);
+	f = delelement (f, &start);
+     }
+     else
+	f = f->next;
+  }
   /* Now weed out the files that do not match our globbing pattern.
      If we are dealing with a globbing pattern, that is.  */
   if (*u->file && (action == GLOBALL || action == GETONE))
@


1.1
log
@Fix directory traversal bug in FTP.

References:
http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482&w=2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1344

Patches obtained from: Red Hat Linux
Approved by:	portmgr(will)
@
text
@@

