The FTP-Proxy allows to define a space separated list of allowed
FTP commands using the ValidCommands
configuration
variable in global and in a per user context.
If this variable is not used (default), no command restriction
will take place and all of the following commands are allowed:
ABOR ACCT ALLO APPE CDUP CWD DELE HELP LIST MAIL MDTM MKD MLFL MODE MRCP MRSQ MSAM MSND MSOM NLST NOOP PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD XPWD XRMD
Otherwise, only commands included in the list are allowed and all other denied.
Further, if the FTP-Proxy is compiled with regular expression support (see --with-regex switch), each command may be followed by an optional equal sign and a POSIX 1003.2 Extended Regular Expression (RE) that describes the valid argument(s) for the command.
If the whole string is to be matched, the pattern has to start with a caret (^) and end with a dollar ($). If no pattern follows a command, its arguments are not checked.
An example for a name would be the pattern
^[a-zA-Z0-9]{1,16}$
, i.e. as expresion for the USER
command:
USER=^[a-zA-Z0-9]{1,16}$This definition specifies, that the argument is mandatory and may consist of up to 16 letters or digits only.
A command that does not allow any arguments can also easily be represented, i.e:
QUIT=^$
Please note that the regular expression is "pre-processed". This
means that a pattern in the form %xx
will be interpreted
as a hexadecimal constant and will be replaced by the value of
that constant. This looks a bit like HTML and helps to include
characters that might not be handled as expected, like %20
for space or %5c
(equivalent to %5C
) for backslash.
The space is especially important because it is the separator
for the commands within the list itself.