From b98062b1c423ea237ecd6b7a9dc2342e061b931c Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Thu, 31 Jan 2019 20:32:40 -0800 Subject: [PATCH] Little bit of code cleanup and clarifying comments --- CHANGELOG.md | 8 ++------ src/server/handler.go | 14 ++++++++------ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b31538..e12c290 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,6 @@ This file is a running track of new features and fixes to each version of the daemon released starting with `v1.0.3`. ## v1.0.3 - -### Added - * Change Log - ### Fixed - * Can properly set file permissions via sftp now. - * [Security] Fixes an unauthorized file read outside of server directory vulnerability when working with the standalone SFTP server. \ No newline at end of file +* Fixes a regression in file permission handling via SFTP. File permissions can now be changed and are not forced to a specific setting. +* **[Security]** Fixes an unauthorized file read outside of server directory vulnerability when working with the standalone SFTP server. \ No newline at end of file diff --git a/src/server/handler.go b/src/server/handler.go index c275f78..a9ce1d7 100644 --- a/src/server/handler.go +++ b/src/server/handler.go @@ -181,14 +181,15 @@ func (fs FileSystem) Filecmd(request *sftp.Request) error { switch request.Method { case "Setstat": - var mode os.FileMode + var mode os.FileMode = 0644 + // If the client passed a valid file permission use that, otherwise use the + // default of 0644 set above. if request.Attributes().FileMode().Perm() != 0000 { mode = request.Attributes().FileMode().Perm() - } else { - mode = 0644 } + // Force directories to be 0755 if request.Attributes().FileMode().IsDir() { mode = 0755 } @@ -344,15 +345,16 @@ func (fs FileSystem) buildPath(rawPath string) (string, error) { return p, nil } - // Check if the path is in the server directory and return a no if it isn't. - symfile, err := filepath.EvalSymlinks(p) + // Resolve the absolute path for the file following any symlinks. Use this finalized + // path to determine if the requested file is within the current server's path. + final, err := filepath.EvalSymlinks(p) if err != nil { return "", errors.New("error evaluating symlink path") } dir, _ := path.Split(p) - if !strings.Contains(symfile, dir) { + if !strings.Contains(final, dir) { return "", errors.New("invalid path resolution") }