Description: Fix unauthenticated read/write of files with mod_copy
 CVE-2015-3306: The mod_copy module in ProFTPD 1.3.5 allows remote
 attackers to read and write to arbitrary files via the site cpfr
 and site cpto commands.
Origin: upstream, http://bugs.proftpd.org/show_bug.cgi?id=4169
Bug: http://bugs.proftpd.org/show_bug.cgi?id=4169
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/proftpd-dfsg/+bug/1462311
Forwarded: not-needed
Author: Brian Morton <bmorton@dvidshub.net>
Last-Update: 2016-12-04

--- proftpd-dfsg-1.3.5~rc3.orig/contrib/mod_copy.c
+++ proftpd-dfsg-1.3.5~rc3/contrib/mod_copy.c
@@ -540,11 +540,22 @@ MODRET copy_cpfr(cmd_rec *cmd) {
   int res;
   char *path = "";

+  unsigned char *authenticated = NULL;
+
   if (cmd->argc < 3 ||
       strncasecmp(cmd->argv[1], "CPFR", 5) != 0) {
     return PR_DECLINED(cmd);
   }

+  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
+  if (authenticated == NULL ||
+      *authenticated == FALSE) {
+    pr_response_add_err(R_530, _("Please login with USER and PASS"));
+
+    errno = EPERM;
+    return PR_ERROR(cmd);
+  }
+
   CHECK_CMD_MIN_ARGS(cmd, 3);

   /* Construct the target file name by concatenating all the parameters after
@@ -594,12 +605,22 @@ MODRET copy_cpfr(cmd_rec *cmd) {
 MODRET copy_cpto(cmd_rec *cmd) {
   register unsigned int i;
   char *from, *to = "";
+  unsigned char *authenticated = NULL;

   if (cmd->argc < 3 ||
       strncasecmp(cmd->argv[1], "CPTO", 5) != 0) {
     return PR_DECLINED(cmd);
   }

+  authenticated = get_param_ptr(cmd->server->conf, "authenticated", FALSE);
+  if (authenticated == NULL ||
+      *authenticated == FALSE) {
+    pr_response_add_err(R_530, _("Please login with USER and PASS"));
+
+    errno = EPERM;
+    return PR_ERROR(cmd);
+  }
+
   CHECK_CMD_MIN_ARGS(cmd, 3);

   from = pr_table_get(session.notes, "mod_copy.cpfr-path", NULL);
