FTP path traversal and sprintf overflows in ftpfqn.c

## Summary

The FTP path resolution function does not enforce root directory boundaries, and uses unbounded `sprintf()` throughout.

## Affected Files

- `src/ftpfqn.c:176-254` (resolve_path)
- `src/ftpfqn.c` lines 35, 52, 62, 73, 89, 108, 112, 120, 124, 140, 150, 153

## Details

### Path traversal

```c
while (p = strstr(path, "/..")) {
    /* normalizes but does not enforce root boundary */
}
```

An attacker can escape the FTP root directory with `CWD ../../etc`.

### Buffer overflows

Multiple `sprintf()` calls combine working directory and user input without bounds checking:

```c
sprintf(buf, "%s%s", ftpc->cwd, in);
sprintf(buf, "%s.%s", ftpc->cwd, in);
sprintf(out, "%s/%s", ftpc->ufs->cwd->path, buf);
```

## Fix

1. After path resolution, verify the canonical path starts with the configured FTP root.
2. Replace all `sprintf()` with `snprintf()`.

## Severity

CRITICAL — path traversal + buffer overflow, both exploitable via FTP commands.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FTP path traversal and sprintf overflows in ftpfqn.c #6

Summary

Affected Files

Details

Path traversal

Buffer overflows

Fix

Severity

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

FTP path traversal and sprintf overflows in ftpfqn.c #6

Description

Summary

Affected Files

Details

Path traversal

Buffer overflows

Fix

Severity

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions