Permalink
Commits on Nov 4, 2017
  1. Merge branch 'master' of github.com:jedisct1/pure-ftpd

    jedisct1 committed Nov 4, 2017
    * 'master' of github.com:jedisct1/pure-ftpd:
      Document the argon2i to argon2 name change
      Bump
      Update ChangeLog
Commits on Oct 27, 2017
  1. Bump

    jedisct1 committed Oct 27, 2017
  2. Update ChangeLog

    jedisct1 committed Oct 27, 2017
Commits on Oct 13, 2017
Commits on Oct 1, 2017
  1. Unlink symlink loops only on uploads

    jedisct1 committed Oct 1, 2017
    Fixes #68
Commits on Sep 21, 2017
  1. Tolerate digits in commands

    jedisct1 committed Sep 21, 2017
    Fixes #67
Commits on Sep 7, 2017
  1. Clarify what MinUID does

    jedisct1 committed Sep 7, 2017
Commits on Aug 20, 2017
  1. Call crypto_pwhash_str_verify() directly

    jedisct1 committed Aug 20, 2017
    So we can support argon2id in addition to argon2i (and scrypt)
Commits on Aug 19, 2017
Commits on Aug 18, 2017
  1. Remove seed_old_rng()

    jedisct1 committed Aug 18, 2017
    It's terrible. The good news is that it's not used either, since that
    code wouldn't even compile.
Commits on Jul 29, 2017
Commits on Jul 9, 2017
  1. Update NEWS/ChangeLog

    jedisct1 committed Jul 9, 2017
  2. Merge pull request #61 from CarloCannas/fix-STAT-on-TLS

    jedisct1 committed Jul 9, 2017
    Fix STAT on TLS connections
Commits on Jul 8, 2017
  1. Fix STAT on TLS connections

    CarloCannas committed Jul 8, 2017
    The STAT command output get sent unencrypted on the control socket (thus
    breaking the proper TLS stream) unless the client enabled private protection
    for the data socket via the PROT command.
    
    The problem is easly reproducible:
    
    $ openssl s_client -connect 127.0.0.1:1256 -starttls ftp
    220 You will be disconnected after 15 minutes of inactivity.
    user
    230 Anonymous user logged in
    stat a
    140316490120920:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:362:
    
    OpenSSL s_client throws an error since pure-ftpd replied "213-STAT" directly
    on the TCP stream, in plain text, instead of witing it inside the TLS tunnel.
    
    The current code also allows a null pointer dereference: if you start TLS via
    AUTH TLS, then login, enable data socket protection (PROT P) and end TLS on
    control socket (CCC), a following STAT with argument will pass tls_cnx to
    SSL_write (ls.c:893), which was nulled by CCC command (ftp_parser.c:409).
Commits on May 15, 2017
  1. Merge branch 'master' of https://github.com/jedisct1/pure-ftpd

    jedisct1 committed May 15, 2017
    * 'master' of https://github.com/jedisct1/pure-ftpd:
      dynamicbase apparently causes some issues with recent Cygwin versions
      Note that bcrypt requires support from the C library
      LibreSSL compat
      Update ChangeLog again
      Count the number of stars in patterns
      Revert "Properly count recursion levels in bsdglob's match()"
      Update ChangeLog, bump version
      Properly count recursion levels in bsdglob's match()
      Add strict support for the OpenSSL 1.1 API
Commits on May 9, 2017
Commits on Apr 25, 2017
Commits on Apr 24, 2017
  1. LibreSSL compat

    jedisct1 committed Apr 24, 2017
  2. Update ChangeLog again

    jedisct1 committed Apr 24, 2017
  3. Revert "Properly count recursion levels in bsdglob's match()"

    jedisct1 committed Apr 24, 2017
    This reverts commit 4329068.
Commits on Apr 5, 2017
Commits on Feb 26, 2017
  1. No more contrib/Makefile.in

    jedisct1 committed Feb 26, 2017
  2. Remove debugging junk

    jedisct1 committed Feb 26, 2017