mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Damien B (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SSHD-605) VirtualFileSystemFactory allows escaping from root
Date Tue, 01 Dec 2015 12:02:11 GMT

     [ https://issues.apache.org/jira/browse/SSHD-605?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Damien B updated SSHD-605:
--------------------------
    Description: 
Possibly Windows only.

I start a SFTP server like this:
sshd = SshServer.setUpDefaultServer();
[...]
sshd.setFileSystemFactory(new VirtualFileSystemFactory(myRootDir.getCanonicalPath()));
[...]
sshd.setSubsystemFactories(Arrays.<NamedFactory<Command>>asList(new SftpSubsystemFactory()));

I connect to the server with FileZilla.
Upon connexion, the files in myRooDir correctly appear under the server path '/'. But if I
cd to '/c:/Windows/', the files in C:\Windows\ appear, escaping the VFS root.

  was:
Possibly Windows only.

I start a SFTP server like this:
sshd = SshServer.setUpDefaultServer();
[...]
sshd.setFileSystemFactory(new VirtualFileSystemFactory(myRootDir.getCanonicalPath()));
[...]
sshd.setSubsystemFactories(Arrays.<NamedFactory<Command>>asList(new SftpSubsystemFactory()));

I connect to the server with FileZilla.
Upon connexion, the files in myRooDir correctly appear under the server path '/'. But if I
cd to '/c:/', the files in C: appear, escaping the VFS root.


> VirtualFileSystemFactory allows escaping from root
> --------------------------------------------------
>
>                 Key: SSHD-605
>                 URL: https://issues.apache.org/jira/browse/SSHD-605
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 1.0.0
>         Environment: Windows, JDK 7
>            Reporter: Damien B
>              Labels: security
>
> Possibly Windows only.
> I start a SFTP server like this:
> sshd = SshServer.setUpDefaultServer();
> [...]
> sshd.setFileSystemFactory(new VirtualFileSystemFactory(myRootDir.getCanonicalPath()));
> [...]
> sshd.setSubsystemFactories(Arrays.<NamedFactory<Command>>asList(new SftpSubsystemFactory()));
> I connect to the server with FileZilla.
> Upon connexion, the files in myRooDir correctly appear under the server path '/'. But
if I cd to '/c:/Windows/', the files in C:\Windows\ appear, escaping the VFS root.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message