Next Previous Contents

6. Command Restriction

The FTP-Proxy allows to define a space separated list of allowed FTP commands using the ValidCommands configuration variable in global and in a per user context. If this variable is not used (default), no command restriction will take place and all of the following commands are allowed:

  ABOR ACCT ALLO APPE CDUP CWD
  DELE HELP LIST MAIL MDTM MKD
  MLFL MODE MRCP MRSQ MSAM MSND
  MSOM NLST NOOP PASS PASV PORT
  PWD  QUIT REIN REST RETR RMD
  RNFR RNTO SITE SIZE SMNT STAT
  STOR STOU STRU SYST TYPE USER
  XCUP XCWD XMKD XPWD XRMD

Otherwise, only commands included in the list are allowed and all other denied.

Further, if the FTP-Proxy is compiled with regular expression support (see --with-regex switch), each command may be followed by an optional equal sign and a POSIX 1003.2 Extended Regular Expression (RE) that describes the valid argument(s) for the command.

If the whole string is to be matched, the pattern has to start with a caret (^) and end with a dollar ($). If no pattern follows a command, its arguments are not checked.

An example for a name would be the pattern ^[a-zA-Z0-9]{1,16}$, i.e. as expresion for the USER command:

  USER=^[a-zA-Z0-9]{1,16}$
This definition specifies, that the argument is mandatory and may consist of up to 16 letters or digits only.

A command that does not allow any arguments can also easily be represented, i.e:

  QUIT=^$

Please note that the regular expression is "pre-processed". This means that a pattern in the form %xx will be interpreted as a hexadecimal constant and will be replaced by the value of that constant. This looks a bit like HTML and helps to include characters that might not be handled as expected, like %20 for space or %5c (equivalent to %5C) for backslash. The space is especially important because it is the separator for the commands within the list itself.


Next Previous Contents