incubator-mod_ftp-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Sanity check
Date Fri, 02 Feb 2007 20:50:05 GMT
Sander Temme wrote:
> 
> On Jan 31, 2007, at 9:53 AM, William A. Rowe, Jr. wrote:
> 
>> We need to use LimitExcept to specify known-good things.
> 
> I agree.
> 
> 1) If we inadvertedly deny access to a newly implemented Method,
>    this is easly corrected
> 
>> Of our list, these are known-good IMHO and would like some more eyes
>> to validate
>> these can't modify data on the server by their definitions.
>>
>> ABOR ACCT AUTH CDUP CWD EPRT EPSV FEAT HELP LIST LPRT LPSV MDTM MODE
>> NLST NOOP
>> PASS PASV PBSZ PORT PROT PWD QUIT REIN REST RETR SIZE STAT STRU SYST
>> TYPE USER
>> XCWD XPWD
> 
> known-good means it doesn't write anything to the server. I agree with
> this list, and would add XCUP subject to wrowe's remark below.
>>
>> We can also reduce the good-list because I believe the Xvariants are
>> pre-mapped
>> before we invoke the subrequest, and the unimplemented ones could be
>> omitted.
> 
> Yes, they are essentially the same thing. I think the DOS FTP client may
> use them.

I discovered that FTP's + Apache 2.2's list (including all DAV and FTP
along with HTTP methods) has exceeded the optimistic 62 keyed methods.

So in the short-term, I've dropped the verbs that don't require us to
authenticate, e.g. every registered verb that isn't FTP_NEED_LOGIN.

If we don't need login, and we don't authenticate, it's considered
an always-safe method.  If you don't want it, ensure that FTP On
doesn't apply to the region.  These methods include USER, PASS,
AUTH, PBSZ, PROT and QUIT

I'm adding NOOP to this list of !FTP_NEED_LOGIN methods to save us
one more method.

We can save a number of methods if we don't register commands which
have no provider.  Especially those mail related commands that nobody
expects to see implemented in today's ftpd servers.  Thoughts?

Bill

Mime
View raw message