[15479] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Bernd Luevelsmeyer)
Mon Jun 26 15:23:13 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3955B817.7FFD53BB@heitec.net>
Date: Sun, 25 Jun 2000 09:43:19 +0200
Reply-To: Bernd Luevelsmeyer <bernd.luevelsmeyer@HEITEC.NET>
From: Bernd Luevelsmeyer <bernd.luevelsmeyer@HEITEC.NET>
X-To: Lamagra Argamal <lamagra@HACKERMAIL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Lamagra Argamal wrote:
[...]
> There are some other bugs in site_exec like
> for (t = cmd; *t && !isspace(*t); t++) {
> if (isupper(*t)) {
> *t = tolower(*t);
> }
> }
>
> Sanitizing stops at a space?? (good thing I didn't tell you this, eh tf8)
[...]
According to the C standard, <ctype.h> functions operate on values that
are representable as a 'unsigned char' or EOF; hence, if the compiler's
'char' is signed then negative character values in the string 'cmd' are
possible and might cause unpredictable results in isspace(), isupper()
and tolower(). Because sanitizing shouldn't stop, and the test with
isupper() is unnecessary anyway (tolower() returns the unchanged value
if the parameter isn't an uppercase letter), I suggest:
for (t = cmd; *t; t++)
*t = tolower((unsigned char)*t);
