Package: proftpd-mod-vroot Version: 0.9.2-2+b2 Severity: grave The proftpd module mod_vroot is broken, because the alias string processing is erroneous. The result of the function vroot_lookup_path may look like this without the attached patch: static int vroot_lstat(pr_fs_t *fs, const char *orig_path, struct stat *st) { ... if (vroot_lookup_path(NULL, vpath, sizeof(vpath)-1, path, 0, NULL) < 0) { destroy_pool(tmp_pool); return -1; } (void) pr_log_writefile(vroot_logfd, MOD_VROOT_VERSION, "(lstat) ==> path '%s'", path); (void) pr_log_writefile(vroot_logfd, MOD_VROOT_VERSION, "(lstat) ==> vpath '%s'", vpath); if ((vroot_opts & VROOT_OPT_ALLOW_SYMLINKS) || vroot_is_alias(path) == 0) { ... ) Aug 22 21:06:18 mod_vroot/0.9.2[8919]: (lstat) ==> path '/folder1/test.sh' Aug 22 21:06:18 mod_vroot/0.9.2[8919]: (lstat) ==> vpath '/media/b464f0f6-0ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/eb Using the following patch makes the module working. The code changes has been taken from the original GIT repositoryhttps://github.com/Castaglia/proftpd-mod_vroot <https://3c.gmx.net/mail/client/dereferrer?redirectUrl=https%3A%2F%2Fgithub.com%2FCastaglia%2Fproftpd-mod_vroot>. --- proftpd-mod-vroot-0.9.2.orig/mod_vroot.c +++ proftpd-mod-vroot-0.9.2/mod_vroot.c @@ -225,7 +225,7 @@ loop: } else if (*bufp != '\0') { size_t buflen, tmplen; - char *ptr; + char *ptr = NULL; ptr = strstr(bufp, ".."); if (ptr != NULL) { @@ -280,9 +280,14 @@ loop: if (vroot_aliastab != NULL) { char *start_ptr = NULL, *end_ptr = NULL, *src_path = NULL; + /* buf is used here for storing the "suffix", to be appended later when + * aliases are found. + */ + bufp = buf; + start_ptr = path; while (start_ptr != NULL) { - char *ptr; + char *ptr = NULL; pr_signals_handle(); @@ -312,8 +317,8 @@ loop: sstrncpy(path, src_path, pathlen); if (end_ptr != NULL) { - sstrcat(path, "/", pathlen); - sstrcat(path, end_ptr + 1, pathlen); + /* Now tack on our suffix from the scratchpad. */ + sstrcat(path, bufp, pathlen); } break; @@ -334,6 +339,8 @@ loop: break; } + /* Store the suffix in the buf scratchpad. */ + sstrncpy(buf, ptr, sizeof(buf)); end_ptr = ptr; *end_ptr = '\0'; }
Regards Volker