[jira] [Commented] (SSHD-731) Vulnerability in SimpleAccessControlSftpEventListener implementation

Sat, 04 Mar 2017 23:49:35 -0800 

    [ 
https://issues.apache.org/jira/browse/SSHD-731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15896117#comment-15896117
 ] 

Boris Fridland commented on SSHD-731:
-------------------------------------

Thanks for fast response.
I am trying to use the workaround you suggested, however in Mina 1.3.0, which 
is the latest version in Maven repository 
(https://mvnrepository.com/artifact/org.apache.sshd/sshd-core) there is no 
withFileSystemAccessor method in SftpSubsystemFactory.Builder().

How do you suggest to solve this issue?

Thanks.

> Vulnerability in SimpleAccessControlSftpEventListener  implementation
> ---------------------------------------------------------------------
>
>                 Key: SSHD-731
>                 URL: https://issues.apache.org/jira/browse/SSHD-731
>             Project: MINA SSHD
>          Issue Type: Bug
>    Affects Versions: 1.3.0
>            Reporter: Boris Fridland
>            Assignee: Goldstein Lyor
>            Priority: Minor
>             Fix For: 1.5.0
>
>
> After implementing sftp access control by overriding 
> SimpleAccessControlSftpEventListener and adding it to SftpSubsystemFactory:
> Scenario:
> 1.set SimpleAccessControlSftpEventListener.isModificationAllowed to return 
> false
> 2.  Establish connection with WinScp
> 3. try to create new file
> expected result: access denied  message + no influence on file system
> actual: access denied  message, + empty file is written to server disc.
> in addition if existing file is opened, and being saved --> result is that 
> file content of is removed.
> Attached configuration code:
> {code:java}
> SftpSubsystemFactory.Builder builder = new SftpSubsystemFactory.Builder();
>         builder.addSftpEventListener(new 
> SimpleAccessControlSftpEventListener() {
>             protected boolean isAccessAllowed(ServerSession session, String 
> remoteHandle, Path localPath)
>                     throws IOException {
>                 EUserAccessLevel level = 
> authorizationManager.getAccessLevel(session.getUsername());
>                 return level.hasReadAccess();
>             }
>             protected boolean isModificationAllowed(ServerSession session, 
> String remoteHandle, Path localPath)
>                     throws IOException {
>                 EUserAccessLevel level = 
> authorizationManager.getAccessLevel(session.getUsername());
>                return level.hasWriteAccess();
>             }
>         });
>         
> sshd.setSubsystemFactories(Collections.singletonList(builder.build()));
>         sshd.setCommandFactory(new ScpCommandFactory());
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to