Pullup ticket 213 - requested by Adrian Portelli

security fix for tnftp

        Module Name:	pkgsrc
        Committed By:	lukem
        Date:		Tue Jan  4 23:18:56 UTC 2005

        Update of /cvsroot/pkgsrc/net/tnftp/files
        In directory ivanova.netbsd.org:/tmp/cvs-serv1263

        Log Message:
        Import tnftp 20050103.
        Various changes, including:
        	* forbid mget of filenames that aren't in or below
                  the local cwd.
        	* improve auto-fetch transfers
        	* improve www/proxy authentication support
        	* improve http response header parsing
        	* change UCB-licensed code from 4-clause to 3-clause

net/tnftp/Makefile

@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.9 2004/07/27 10:25:24 grant Exp $
+# $NetBSD: Makefile,v 1.9.4.1 2005/01/07 02:25:55 salo Exp $
 #
 
-DISTNAME=		tnftp-20030825
-PKGREVISION=		1
+DISTNAME=		tnftp-20050103
 SVR4_PKGNAME=		tnftp
 CATEGORIES=		net
 MASTER_SITES=		# empty
@@ -41,6 +40,6 @@ OPSYSVARS+=		MAKE_ENV
 MAKE_ENV.SunOS+=	CPPFLAGS=""
 
 do-extract:
-	@${CP} -Rp ${FILESDIR} ${WRKSRC}
+	@${CP} -R ${FILESDIR} ${WRKSRC}
 
 .include "../../mk/bsd.pkg.mk"

net/tnftp/files/COPYING

@@ -1,6 +1,6 @@
-$Id: COPYING,v 1.1 2004/03/11 13:01:01 grant Exp $
+$Id: COPYING,v 1.1.8.1 2005/01/07 02:25:55 salo Exp $
 
-Copyright (c) 2001-2003 The NetBSD Foundation, Inc.
+Copyright (c) 2001-2005 The NetBSD Foundation, Inc.
 All rights reserved.
 
 This code is derived from software contributed to The NetBSD Foundation

net/tnftp/files/ChangeLog

@@ -1,4 +1,81 @@
-$Id: ChangeLog,v 1.1 2004/03/11 13:01:01 grant Exp $
+$Id: ChangeLog,v 1.1.8.1 2005/01/07 02:25:55 salo Exp $
+
+Mon Jan  3 10:21:57 UTC 2005	lukem
+
+	* Release "tnftp 20050103"
+
+	* Merge NetBSD-ftp 20050103:
+		- Forbid filenames returned from mget that aren't in (or below)
+		  the current directory.  The previous behaviour (of trusting
+		  the remote server's response when retrieving the list of
+		  files to mget with prompting disabled) has been in ftp
+		  ~forever, and has been a "known issue" for a long time.
+		  Recently an advisory was published by D.J. Bernstein on
+		  behalf of Yosef Klein warning of the problems with the
+		  previous behaviour, so to alleviate concern I've fixed
+		  this with a sledgehammer.
+		- Remember the local cwd after any operation which may
+		  change it.
+		- Use "remotecwd" instead of "remotepwd".
+		- Add (unsigned char) cast to ctype functions
+		- Ensure that "mname" is set in ls() and mls() so that an
+		  aborted confirm() prints the correct name.
+		  Problem highlighted & suggested fix from PR [bin/17766]
+		  by Steve McClellan.
+		- If an ftp auto-fetch transfer is interrupted by SIGINT
+		  (usually ^C), exit with 130 instead of 1 (or rarely, 0).
+		  This allows an ftp auto-fetch in a shell loop to correctly
+		  terminate the loop.
+		  Should fix PR [pkg/26351], and possibly others.
+		- Save approximately 8K by not including http authentication,
+		  extended status messages and help strings when the
+		  appropriate options are set.
+		- Move UCB-licensed code from 4-clause to 3-clause licence.
+		  Patches provided by Joel Baker in PR 22365, verified by
+		  Alistair Crooks.
+		- Always decode %xx in a url's user & pass components.
+		- Only remember {WWW,Proxy}-Authenticate "Basic" challenges; no
+		  point in tracking any others since ftp doesn't support them.
+		- Improve the parsing of HTTP responses.
+		- Don't base64 encode the trailing NUL in the HTTP basic auth
+		  response.  Problem noted by Eric Haszlakiewicz.
+		- Improve parsing of HTTP response headers to be more RFC2616
+		  compliant, and skip LWS (linear white space; CR, LF, space,
+		  tab) and the end of lines and between the field name and
+		  the field value.  This still isn't 100% compliant, since we
+		  don't support "multi line" responses at this time.
+		  This should fix PR [bin/22611] from TAMURA Kent (although I
+		  can't easily find a http server to reproduce the problem
+		  against.)
+		- Fix a minor memory leak when parsing HTTP response headers.
+		- Don't unnecessarily display a 401/407 error when running
+		  with -V.  Fix from PR [bin/18535] by Jeremy Reed.
+		- Don't warn about "ignored setsockopt" failures unless
+		  debugging is enabled.  Suggested by Todd Vierling.
+		- Allow empty passwords in ftp://user:@host/file auto-fetch
+		  URLs, per RFC 1738.  Requested by Simon Poole.
+		- correct URL syntax in comment
+		- Note potentially surprising file-saving behaviour in case
+		  of HTTP redirects
+		- -n is ignored for auto-fetch transfers
+		- If connect(2) in xconnect() fails with EINTR, call select(2)
+		  on the socket until it's writable or it fails with something
+		  other than EINTR.  This matches the behaviour in SUSv3, and
+		  prevents the problem when pressing ^T (SIGINFO, which is
+		  marked as restartable) during connection setup would cause
+		  ftp to fail with EADDRINUSE or EALREADY when the second
+		  connect(2) was attempted on the same socket.  Problem found
+		  and solution provided by Maxime Henrion <mux@freebsd.org>.
+		- Add -q to usage. From Kouichirou Hiratsuka in PR 26199.
+		- PR/25566: Anders Magnusson: ftp(1) do not like large TCP
+		  windows.  Limit it to 8M.
+
+Mon Oct  6 01:23:03 UTC 2003	lukem
+
+	* configure.in improvements:
+		- When testing for IN6ADDRSZ in <arpa/nameser.h>, pull in
+		  <sys/types.h> first.  From Stoned Elipot <seb @ NetBSD>
+		- Whitespace cleanup
 
 Mon Aug 25 11:45:45 UTC 2003	lukem
 

net/tnftp/files/README

@@ -4,8 +4,8 @@ WHAT IS TNFTP?
 `tnftp' is a `port' of the NetBSD FTP client to other systems.
 See http://www.NetBSD.org/ for more details about NetBSD.
 
-tnftp was formerly known as `lukemftp' and was renamed by Luke Mewburn
-in February 2003.
+tnftp was formerly known as `lukemftp'
+It was renamed to `tnftp' by Luke Mewburn in February 2003.
 
 The enhancements over the standard ftp client in 4.4BSD (and
 derivatives) include:

net/tnftp/files/config.h.in

@@ -1,5 +1,5 @@
 /* config.h.in.  Generated automatically from configure.in by autoheader.  */
-/* $Id: config.h.in,v 1.3 2004/04/25 02:48:12 grant Exp $ */
+/* $Id: config.h.in,v 1.3.6.1 2005/01/07 02:25:55 salo Exp $ */
 
 
 /* Define if on AIX 3.