From ad3b829a84f50905002d0395882f257e5f8a3771 Mon Sep 17 00:00:00 2001 From: mikeb Date: Thu, 27 Apr 2017 13:30:54 +0000 Subject: [PATCH] Don't send multiple error messages in response to a single command While a few commands (such as HELP and NOOP) are allowed in between USER and PASS, most of the others are not. However if such command is issued, ftpd should abort the command evaluation early and reply with "530 Please login with USER and PASS." From form@, with input from deraadt@ and OK millert@ --- libexec/ftpd/ftpcmd.y | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libexec/ftpd/ftpcmd.y b/libexec/ftpd/ftpcmd.y index 36d9824a9ce..5a394538e4f 100644 --- a/libexec/ftpd/ftpcmd.y +++ b/libexec/ftpd/ftpcmd.y @@ -1,4 +1,4 @@ -/* $OpenBSD: ftpcmd.y,v 1.65 2017/04/17 21:49:01 deraadt Exp $ */ +/* $OpenBSD: ftpcmd.y,v 1.66 2017/04/27 13:30:54 mikeb Exp $ */ /* $NetBSD: ftpcmd.y,v 1.7 1996/04/08 19:03:11 jtc Exp $ */ /* @@ -956,6 +956,8 @@ check_login else { reply(530, "Please login with USER and PASS."); $$ = 0; + state = 0; + YYABORT; } } ; @@ -966,6 +968,8 @@ check_login_epsvall if (!logged_in) { reply(530, "Please login with USER and PASS."); $$ = 0; + state = 0; + YYABORT; } else if (epsvall) { reply(501, "the command is disallowed " "after EPSV ALL"); -- 2.20.1