Skip to content
This repository has been archived by the owner on Feb 25, 2021. It is now read-only.

Commit

Permalink
Little bit of code cleanup and clarifying comments
Browse files Browse the repository at this point in the history
  • Loading branch information
DaneEveritt committed Feb 1, 2019
1 parent 2102407 commit b98062b
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 12 deletions.
8 changes: 2 additions & 6 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@
This file is a running track of new features and fixes to each version of the daemon released starting with `v1.0.3`.

## v1.0.3

### Added
* Change Log

### Fixed
* Can properly set file permissions via sftp now.
* [Security] Fixes an unauthorized file read outside of server directory vulnerability when working with the standalone SFTP server.
* Fixes a regression in file permission handling via SFTP. File permissions can now be changed and are not forced to a specific setting.
* **[Security]** Fixes an unauthorized file read outside of server directory vulnerability when working with the standalone SFTP server.
14 changes: 8 additions & 6 deletions src/server/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,14 +181,15 @@ func (fs FileSystem) Filecmd(request *sftp.Request) error {

switch request.Method {
case "Setstat":
var mode os.FileMode
var mode os.FileMode = 0644

// If the client passed a valid file permission use that, otherwise use the
// default of 0644 set above.
if request.Attributes().FileMode().Perm() != 0000 {
mode = request.Attributes().FileMode().Perm()
} else {
mode = 0644
}

// Force directories to be 0755
if request.Attributes().FileMode().IsDir() {
mode = 0755
}
Expand Down Expand Up @@ -344,15 +345,16 @@ func (fs FileSystem) buildPath(rawPath string) (string, error) {
return p, nil
}

// Check if the path is in the server directory and return a no if it isn't.
symfile, err := filepath.EvalSymlinks(p)
// Resolve the absolute path for the file following any symlinks. Use this finalized
// path to determine if the requested file is within the current server's path.
final, err := filepath.EvalSymlinks(p)
if err != nil {
return "", errors.New("error evaluating symlink path")
}

dir, _ := path.Split(p)

if !strings.Contains(symfile, dir) {
if !strings.Contains(final, dir) {
return "", errors.New("invalid path resolution")
}

Expand Down

0 comments on commit b98062b

Please sign in to comment.