File 1085-Document-security-considerations.patch of Package erlang
From 26076bf6168d39adc524d99968dd7cd9a2fcad7d Mon Sep 17 00:00:00 2001
From: Raimo Niskanen <raimo@erlang.org>
Date: Thu, 12 Feb 2026 15:51:07 +0100
Subject: [PATCH 5/5] Document security considerations
---
lib/tftp/doc/src/getting_started.xml | 7 ++--
lib/tftp/doc/src/introduction.xml | 53 ++++++++++++++++++++++++---
lib/tftp/doc/src/tftp.xml | 55 +++++++++++++++++++++++++---
3 files changed, 102 insertions(+), 13 deletions(-)
diff --git a/lib/tftp/doc/src/getting_started.xml b/lib/tftp/doc/src/getting_started.xml
index 079e6024fe..8b545021d0 100644
--- a/lib/tftp/doc/src/getting_started.xml
+++ b/lib/tftp/doc/src/getting_started.xml
@@ -5,7 +5,7 @@
<header>
<copyright>
<year>1997</year>
- <year>2021</year>
+ <year>2026</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
@@ -62,12 +62,13 @@
<p><em>Step 1.</em> Create a sample file to be used for the transfer:</p>
<code>
- $ echo "Erlang/OTP 21" > file.txt
+ $ echo "Erlang/OTP 21" > /tmp/file.txt
</code>
<p><em>Step 2.</em> Start the TFTP server:</p>
<code type="erl" >
- 1> {ok, Pid} = tftp:start([{port, 19999}]).
+ 1> Callback = {callback,{"",tftp_file,[{root_dir,"/tmp"}]}}.
+ 2> {ok, Pid} = tftp:start([{port, 19999}, Callback]).
<![CDATA[{ok,<0.65.0>}]]>
</code>
diff --git a/lib/tftp/doc/src/introduction.xml b/lib/tftp/doc/src/introduction.xml
index 1c2b8d3acf..a3b0b3c16b 100644
--- a/lib/tftp/doc/src/introduction.xml
+++ b/lib/tftp/doc/src/introduction.xml
@@ -45,10 +45,21 @@
authentication.</p>
<p>The <c>tftp</c> application implements the following IETF standards:</p>
<list type="bulleted">
- <item>RFC 1350, The TFTP Protocol (revision 2)</item>
- <item>RFC 2347, TFTP Option Extension</item>
- <item>RFC 2348, TFTP Blocksize Option</item>
- <item>RFC 2349, TFTP Timeout Interval and Transfer Size Options</item>
+ <item>
+ <url href="https://datatracker.ietf.org/doc/html/rfc1350">
+ RFC 1350</url>, The TFTP Protocol (revision 2)
+ </item>
+ <item>
+ <url href="https://datatracker.ietf.org/doc/html/rfc2347">
+ RFC 2347</url>, TFTP Option Extension
+ </item>
+ <item>
+ <url href="https://datatracker.ietf.org/doc/html/rfc2348">
+ RFC 2348</url>, TFTP Blocksize Option</item>
+ <item>
+ <url href="https://datatracker.ietf.org/doc/html/rfc2349">
+ RFC 2349</url>, TFTP Timeout Interval and Transfer Size Options
+ </item>
</list>
<p>The only feature that not is implemented is the <c>netascii</c> transfer mode.</p>
</section>
@@ -59,4 +70,36 @@
programming language, concepts of OTP, and has a basic
understanding of the TFTP protocol.</p>
</section>
+
+ <section>
+ <title>Security Considerations</title>
+ <p>
+ As stated in
+ (<url href="https://datatracker.ietf.org/doc/html/rfc1350">RFC 1350</url>)
+ be aware that "Since TFTP includes no login or access control mechanisms,
+ care must be taken in the rights granted to a TFTP server process so as
+ not to violate the security of the server hosts file system.
+ TFTP is often installed with controls such that only files that have
+ public read access are available via TFTP and writing files via TFTP
+ is disallowed."
+ </p>
+ <p>
+ This essentially means that any machine on the network
+ that can reach the TFTP server is able to read and write,
+ without authentication, any file on the machine that runs
+ the TFTP server, that the user (or group) that runs the TFTP server
+ (in this case the Erlang VM) is allowed to read or write.
+ The machine configuration has to be prepared for that.
+ </p>
+ <warning>
+ <p>
+ The default behavior mentioned above is in general very risky,
+ and as a remedy, this TFTP application's default callback
+ <c>tftp_file</c> implements an initial state option
+ <c>{root_dir,Dir}</c> that restricts the callback's file accesses
+ to <c>Dir</c> and subdirectories. It is recommended
+ to use that option when starting start this TFTP server.
+ </p>
+ </warning>
+ </section>
</chapter>
diff --git a/lib/tftp/doc/src/tftp.xml b/lib/tftp/doc/src/tftp.xml
index 520ede365f..d00d47db5b 100644
--- a/lib/tftp/doc/src/tftp.xml
+++ b/lib/tftp/doc/src/tftp.xml
@@ -4,7 +4,7 @@
<erlref>
<header>
<copyright>
- <year>2006</year><year>2021</year>
+ <year>2006</year><year>2026</year>
<holder>Ericsson AB. All Rights Reserved.</holder>
</copyright>
<legalnotice>
@@ -132,11 +132,11 @@
mostly useful for the server as it can restrict the use
of certain TFTP options or read/write access.</p>
</item>
- <tag><c>{callback, {RegExp, Module, State}}</c></tag>
+ <tag><c>{callback, {RegExp, Module, InitialState}}</c></tag>
<item>
<p><c>RegExp = string()</c> <br></br>
<c>Module = atom()</c> <br></br>
-<c>State = term()</c></p>
+<c>InitialState = term()</c></p>
<p>Registration of a callback module. When a file is to be
transferred, its local filename is matched to the regular
expressions of the registered callbacks. The first matching
@@ -144,8 +144,34 @@
<seemfa marker="#read_file/3">read_file/3</seemfa> and
<seemfa marker="#write_file/3">write_file/3</seemfa>.
</p>
- <p>The callback module must implement the <c>tftp</c> behavior, see
- <seeerl marker="#tftp_callback">CALLBACK FUNCTIONS</seeerl>.</p>
+ <p>The callback module must implement the <c>tftp</c> behavior, see
+ <seeerl marker="#tftp_callback">CALLBACK FUNCTIONS</seeerl>.</p>
+ <p>
+ At the end of the list of callbacks there are always
+ the default callbacks <c>tftp_file</c> and <c>tftp_binary</c>
+ with the <c>RegExp</c> <c>""</c> and <c>InitialState</c>
+ <c>[]</c>.
+ </p>
+ <p>
+ The <c>InitialState</c> should be an option list, and the
+ empty list should be accepted by any callback module.
+ The <c>tftp_file</c> callback module accepts
+ an <c>InitialState = [{root_dir, Dir}]</c>
+ that restrict local file operations to files in <c>Dir</c>
+ and subdirectories. All file names received in protocol
+ requests, relative or absolute, are regarded as
+ relative to this directory.
+ </p>
+ <warning>
+ <p>
+ The default callback module configuration allows
+ access to any file on any local filesystem that is
+ readable or writable by the user running the Erlang VM.
+ This can be a security vulnerability. It is therefore
+ recommenced to explicitly configure the <c>tftp_file</c>
+ callback module to use the <c>root_dir</c> option.
+ </p>
+ </warning>
</item>
<tag><c>{logger, Module}</c></tag>
@@ -297,6 +323,25 @@
port. When it receives a request for read or write, it spawns
a temporary server process handling the actual transfer
of the (virtual) file.</p>
+ <p>
+ The request filename is matched against the regexps
+ of the registered callback modules, and the first match
+ selects the callback to handle the request.
+ </p>
+ <p>
+ If there are no registered callback modules,
+ <c>tftp_file</c> is used, with the initial state <c>[]</c>.
+ </p>
+ <warning>
+ <p>
+ The default callback module configuration allows
+ access to any file on any local filesystem that is
+ readable or writable by the user running the Erlang VM.
+ This can be a security vulnerability. See the
+ <url href="#options">{callback,_}</url>
+ option at the start of this module reference for a remedy.
+ </p>
+ </warning>
</desc>
</func>
--
2.51.0
