[ https://issues.apache.org/jira/browse/SSHD-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15236286#comment-15236286 ]
Albert Ho commented on SSHD-605: -------------------------------- Hi all, I took a look at the fix for this ticket and verified that the bug still exists in Apache SSHD 1.1.0 and 1.2.0. I have a fix for this ticket locally, including extensive unit tests on the RootedFileSystemProvider. I would be happy to take this on (assuming my employer authorizes it). You can follow the thread here: http://www.mail-archive.com/dev@mina.apache.org/msg26592.html > VirtualFileSystemFactory allows escaping from root > -------------------------------------------------- > > Key: SSHD-605 > URL: https://issues.apache.org/jira/browse/SSHD-605 > Project: MINA SSHD > Issue Type: Bug > Affects Versions: 1.0.0 > Environment: Windows, JDK 7 > Reporter: Damien B > Assignee: Goldstein Lyor > Labels: security > Fix For: 1.1.0 > > > Possibly Windows only. > I start a SFTP server like this: > sshd = SshServer.setUpDefaultServer(); > [...] > sshd.setFileSystemFactory(new > VirtualFileSystemFactory(myRootDir.getCanonicalPath())); > [...] > sshd.setSubsystemFactories(Arrays.<NamedFactory<Command>>asList(new > SftpSubsystemFactory())); > I connect to the server with FileZilla. > Upon connexion, the files in myRooDir correctly appear under the server path > '/'. But if I cd to '/c:/Windows/', the files in C:\Windows\ appear, escaping > the VFS root. -- This message was sent by Atlassian JIRA (v6.3.4#6332)