Hacker News new | past | comments | ask | show | jobs | submit login

This ftp is otherwise known as tnftp and originates with NetBSD.

It is part of their base install and is the only ftp/http client installed by default. It is the default client for installing packages.

Aside from the popen feature (-o"|utility" pipes output to utility), getting this program to segfault is quite easy. If you are concerned about security I would seek a workaround that you trust.

tnftp does not link to libfetch, but on NetBSD libfetch is still present (why? I am not sure), so a user could install fetch(1), the default ftp/http client from FreeBSD, which is available as a package, and it will work "out of the box". FreeBSD's fetch(1) does link to libfetch.

There is also example code for a libfetch-linked client in the NetBSD source tree.

Whether the fetch(1) client has security issues of it own, I do not know, but at least it does not implement the popen feature.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: