mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Albert Ho (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SSHD-605) VirtualFileSystemFactory allows escaping from root
Date Tue, 12 Apr 2016 20:51:25 GMT

    [ https://issues.apache.org/jira/browse/SSHD-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15237953#comment-15237953
] 

Albert Ho commented on SSHD-605:
--------------------------------

Thanks Guillaume and Goldstein.  I've gotten approval so I'll make a pull request or patch.
 It looks like the path in RootedFileSystemProvider#resolveLocalPath isn't being checked correctly,
and I was able to fail SftpTest#testCannotEscapeUserRoot using "/.." as path passed into sftp.stat(escapePath).
 The windows-specific code doesn't address this issue.  I also re-tested launching the default
sftp server (using sshd-core 1.2.1) locally and was able to bypass the root.  

See log here: 

Finished org.apache.sshd.client.subsystem.sftp.SftpTest:testCannotEscapeUserRoot in 37860
ms
java.lang.AssertionError: Unexpected escape success for path=/..: type=2;size=0;uid=0;gid=0;perms=0x41ed;flags=[Perms,
OwnerGroup, AccessTime, ModifyTime, CreateTime];owner=aho1;aTime=2016-04-12T20:10:38Z;cTime=2016-04-12T20:10:38Z;mTime=2016-04-12T17:57:35Z;extensions=[]

	at org.junit.Assert.fail(Assert.java:88)
	at org.apache.sshd.client.subsystem.sftp.SftpTest.testCannotEscapeUserRoot(SftpTest.java:295)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:483)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
	at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
	at org.junit.rules.RunRules.evaluate(RunRules.java:20)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
	at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
	at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
	at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:234)
	at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:74)

Disconnected from the target VM, address: '127.0.0.1:49673', transport: 'socket'

Process finished with exit code 255


> VirtualFileSystemFactory allows escaping from root
> --------------------------------------------------
>
>                 Key: SSHD-605
>                 URL: https://issues.apache.org/jira/browse/SSHD-605
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 1.0.0
>         Environment: Windows, JDK 7
>            Reporter: Damien B
>            Assignee: Goldstein Lyor
>              Labels: security
>             Fix For: 1.1.0
>
>
> Possibly Windows only.
> I start a SFTP server like this:
> sshd = SshServer.setUpDefaultServer();
> [...]
> sshd.setFileSystemFactory(new VirtualFileSystemFactory(myRootDir.getCanonicalPath()));
> [...]
> sshd.setSubsystemFactories(Arrays.<NamedFactory<Command>>asList(new SftpSubsystemFactory()));
> I connect to the server with FileZilla.
> Upon connexion, the files in myRooDir correctly appear under the server path '/'. But
if I cd to '/c:/Windows/', the files in C:\Windows\ appear, escaping the VFS root.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message