This memo does not directly concern security. It is not believed
that any of the mechanisms documented here impact in any particular
way upon the security of FTP.
Implementing the SIZE command, and perhaps some of the facts of the
MLSx commands, may impose a considerable load on the server, which
could lead to denial of service attacks. Servers have, however,
implemented this for many years, without significant reported
difficulties.
The server-FTP should take care not to reveal sensitive information
about files to unauthorised parties. In particular, some underlying
filesystems provide a file identifier that, if known, can allow many
of the filesystem protection mechanisms to be by-passed. That
identifier would not be a suitable choice to use as the basis of the
value of the unique fact.
The FEAT and OPTS commands may be issued before the FTP
authentication has occurred [6]. This allows unauthenticated clients
to determine which of the features defined here are supported, and to
negotiate the fact list for MLSx output. No actual MLSx commands may
be issued however, and no problems with permitting the selection of
the format prior to authentication are foreseen.
A general discussion of issues related to the security of FTP can be
found in [13].
