1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>The FTP-Proxy White Paper: Command Restriction</TITLE>
<LINK HREF="ftp-proxy-7.html" REL=next>
<LINK HREF="ftp-proxy-5.html" REL=previous>
<LINK HREF="ftp-proxy.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="ftp-proxy-7.html">Next</A>
<A HREF="ftp-proxy-5.html">Previous</A>
<A HREF="ftp-proxy.html#toc6">Contents</A>
<HR>
<H2><A NAME="commandrestriction"></A> <A NAME="s6">6. Command Restriction</A></H2>
<P>The FTP-Proxy allows to define a space separated list of allowed
FTP commands using the <CODE>ValidCommands</CODE> configuration
variable in global and in a per user context.
If this variable is not used (default), no command restriction
will take place and all of the following commands are allowed:
<P>
<PRE>
ABOR ACCT ALLO APPE CDUP CWD
DELE HELP LIST MAIL MDTM MKD
MLFL MODE MRCP MRSQ MSAM MSND
MSOM NLST NOOP PASS PASV PORT
PWD QUIT REIN REST RETR RMD
RNFR RNTO SITE SIZE SMNT STAT
STOR STOU STRU SYST TYPE USER
XCUP XCWD XMKD XPWD XRMD
</PRE>
<P>Otherwise, only commands included in the list are allowed
and all other denied.
<P>
<P>Further, if the FTP-Proxy is compiled with regular expression
support (see
<A HREF="ftp-proxy-2.html#installation">--with-regex</A> switch),
each command may be followed by an optional equal sign and a
<EM>POSIX 1003.2 Extended Regular Expression (RE)</EM> that
describes the valid argument(s) for the command.
<P>If the whole string is to be matched, the pattern has to start
with a caret (^) and end with a dollar ($). If no pattern
follows a command, its arguments are not checked.
<P>An example for a name would be the pattern
<CODE>^[a-zA-Z0-9]{1,16}$</CODE>, i.e. as expresion for the USER
command:
<PRE>
USER=^[a-zA-Z0-9]{1,16}$
</PRE>
This definition specifies, that the argument is mandatory and may
consist of up to 16 letters or digits only.
<P>A command that does not allow any arguments can also easily be
represented, i.e:
<PRE>
QUIT=^$
</PRE>
<P>
<P>Please note that the regular expression is "pre-processed". This
means that a pattern in the form <CODE>%xx</CODE> will be interpreted
as a hexadecimal constant and will be replaced by the value of
that constant. This looks a bit like HTML and helps to include
characters that might not be handled as expected, like <CODE>%20</CODE>
for space or <CODE>%5c</CODE> (equivalent to <CODE>%5C</CODE>) for backslash.
The space is especially important because it is the separator
for the commands within the list itself.
<P>
<P>
<HR>
<A HREF="ftp-proxy-7.html">Next</A>
<A HREF="ftp-proxy-5.html">Previous</A>
<A HREF="ftp-proxy.html#toc6">Contents</A>
</BODY>
</HTML>
|