You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Albert Ho (JIRA)" <ji...@apache.org> on 2016/04/12 02:06:25 UTC
[jira] [Commented] (SSHD-605) VirtualFileSystemFactory allows
escaping from root
[ https://issues.apache.org/jira/browse/SSHD-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15236286#comment-15236286 ]
Albert Ho commented on SSHD-605:
--------------------------------
Hi all, I took a look at the fix for this ticket and verified that the bug still exists in Apache SSHD 1.1.0 and 1.2.0.
I have a fix for this ticket locally, including extensive unit tests on the RootedFileSystemProvider. I would be happy to take this on (assuming my employer authorizes it).
You can follow the thread here: http://www.mail-archive.com/dev@mina.apache.org/msg26592.html
> VirtualFileSystemFactory allows escaping from root
> --------------------------------------------------
>
> Key: SSHD-605
> URL: https://issues.apache.org/jira/browse/SSHD-605
> Project: MINA SSHD
> Issue Type: Bug
> Affects Versions: 1.0.0
> Environment: Windows, JDK 7
> Reporter: Damien B
> Assignee: Goldstein Lyor
> Labels: security
> Fix For: 1.1.0
>
>
> Possibly Windows only.
> I start a SFTP server like this:
> sshd = SshServer.setUpDefaultServer();
> [...]
> sshd.setFileSystemFactory(new VirtualFileSystemFactory(myRootDir.getCanonicalPath()));
> [...]
> sshd.setSubsystemFactories(Arrays.<NamedFactory<Command>>asList(new SftpSubsystemFactory()));
> I connect to the server with FileZilla.
> Upon connexion, the files in myRooDir correctly appear under the server path '/'. But if I cd to '/c:/Windows/', the files in C:\Windows\ appear, escaping the VFS root.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)