Avoid potential printf format string problem with challenge from

auth_challenge().  Currently, none of the auth modules put non-sanitized
data in the prompt so there are no real security implications with
this fix.  Patch from Moritz Jodeit.

1 files changed, 3 insertions, 3 deletions

diff --git a/libexec/ftpd/ftpd.c b/libexec/ftpd/ftpd.c
index 1d878adc012..2307e5b12e1 100644
--- a/libexec/ftpd/ftpd.c
+++ b/libexec/ftpd/ftpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ftpd.c,v 1.136 2002/08/29 22:52:00 deraadt Exp $	*/
+/*	$OpenBSD: ftpd.c,v 1.137 2002/10/13 21:09:13 millert Exp $	*/
 /*	$NetBSD: ftpd.c,v 1.15 1995/06/03 22:46:47 mycroft Exp $	*/
 
 /*
@@ -74,7 +74,7 @@ static const char copyright[] =
 static const char sccsid[] = "@(#)ftpd.c	8.4 (Berkeley) 4/16/94";
 #else
 static const char rcsid[] = 
-    "$OpenBSD: ftpd.c,v 1.136 2002/08/29 22:52:00 deraadt Exp $";
+    "$OpenBSD: ftpd.c,v 1.137 2002/10/13 21:09:13 millert Exp $";
 #endif
 #endif /* not lint */
 
@@ -812,7 +812,7 @@ user(name)
 	}
 
 	if (as != NULL && (cp = auth_challenge(as)) != NULL)
-		reply(331, cp);
+		reply(331, "%s", cp);
 	else
 		reply(331, "Password required for %s.", name);