Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"l" permission should be valid also for MLST command #114

Closed
giampaolo opened this issue May 28, 2014 · 5 comments
Closed

"l" permission should be valid also for MLST command #114

giampaolo opened this issue May 28, 2014 · 5 comments
Labels
bug Component-Library imported imported from old googlecode site and very likely outdated Security

Comments

@giampaolo
Copy link
Owner

From billiej...@gmail.com on April 21, 2009 02:31:42

What steps will reproduce the problem?  
1. Define a user with no permissions:
>>> authorizer.add_user('user', 'password', '/home/user', perm='')
2. Try to use the MLST command. 

What is the expected output?  


What do you see instead?  
Even though the "l" permission has not been assigned to the user the client
authenticating as "user" can still use the MLST command.
Although he's not aware of any pathname resident on the server (LIST, STAT
or MLSD should be enabled for that) he can still use the MLST command to
retrieve information about the root home directory.

The server should avoid the usage of MLST command unless the "l" permission
has been specifically assigned to the user.

Original issue: http://code.google.com/p/pyftpdlib/issues/detail?id=114
@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on April 20, 2009 17:40:07

Fixed as r596 .

Status: Finished

@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on August 29, 2009 10:34:03

Status: FixedInSVN

@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on September 13, 2009 13:56:15

Status: Fixed

@giampaolo
Copy link
Owner Author

From billiej...@gmail.com on September 13, 2009 14:01:52

This is now fixed and included as part of 0.5.2 version.

@giampaolo
Copy link
Owner Author

From g.rodola on October 27, 2010 13:51:12

Adding "security" label as per: 
https://bugzilla.redhat.com/show_bug.cgi?id=646171

Labels: Security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Component-Library imported imported from old googlecode site and very likely outdated Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@giampaolo