What is Globbing?
Globbing is a common Unix shell mechanism for expanding wildcard patterns,
for matching multiple filenames. From the glob(7) man page:
A string is a wildcard pattern if it contains one of the characters
`?', `*' or `['. Globbing is the operation that expands a wildcard pattern
into the list of pathnames matching the pattern. Matching is defined by:
A `?' (not between brackets) matches any single character.
A `*' (not between brackets) matches any string, including the empty
string.
The RFCs that define FTP do not explicitly mention globbing; this means that
FTP servers are not required to support globbing in order to be
compliant. However, many FTP servers do support globbing (including
ProFTPD), as a measure of convenience for FTP clients and users.
The mget ftp(1) command commonly uses globbing
to retrieve multiple files, e.g.:
ftp> mget *.gzor:
ftp> mget pub/music/*.mp3Other FTP clients may have similar client-side commands for listing and retrieiving multiple files based on globbing expressions.
Why Globbing is an Issue
In order to search for and match the given globbing expression, the code
has to search (possibly) many directories, examine each contained filename,
and build a list of matching files in memory. This operation can be quite
intensive, both CPU- and memory-wise. This intense use of resources led
to the original posting of possible Denial of Service (DoS) attacks
against proftpd (later, when the culprit was tracked to the
underlying library globbing code, other applications were found to be
vulnerable as well):
http://bugs.proftpd.org/show_bug.cgi?id=1066The above bug report shows an example of a globbing expression that was used to attempt a DoS by means of many directory levels.
Some servers (e.g. wu-ftpd) come with their own custom code
for handling globs; others (including proftpd) make use of the
system's C library routines for globbing. The GNU globbing code, bundled
with proftpd, was updated to match the current GNU implementation
of globbing in their C library (glibc), and proftpd
was changed to always use that bundled GNU code, rather than the host system's
globbing functions (as the host code might possibly be unsafe).
Every now and then, this issue is reported on various mailing lists. As
some system resources are needed when handling globbing expression,
some users report this as a DoS possibilty. Which is why proftpd
supports a few ways to restrict how globbing is handled, according to the
needs of the site.
Globbing Restrictions
ProFTPD has several mechanisms in place for limiting, or disabling entirely,
support for globbing. If your site does not require globbing, it is highly
recommended that globbing be disabled altogether, by adding this to your
proftpd.conf:
UseGlobbing off
If, on the other hand, your site does need to support globbing (many
FTP users will assume that globbing is supported), there are other ways of
limiting the amount of resources used when globbing: the
RLimitCPU and
RLimitMemory configuration directives. In proftpd-1.2.7, these directives were enhanced so that they could be applied
strictly to session processes (rather than the daemon process):
RLimitCPU session ... RLimitMemory session ...And, for the paranoid system administrator, a way of limiting the number of directories supported in a globbing expression was added in
1.2.8rc1: PR_TUNABLE_GLOBBING_MAX. By default, the maximum number
of levels supported is 8 (this is the hardcoded default in the GNU library
implementation of globbing). To change this to a lower number, compile
proftpd using a configure line that looks
something like this:
CFLAGS="-DPR_TUNABLE_GLOBBING_MAX=3" ./configure ...A globbing expression that contains more than the maximum number of supported levels is not executed, but instead an error code signalling "out of memory" is immediately returned, which is GNU's way of saying that it will not handle the expression.