[
https://issues.apache.org/jira/browse/SSHD-775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16196597#comment-16196597
]
Goldstein Lyor commented on SSHD-775:
-------------------------------------
{quote}
my complements for the quick implementation
{quote}
By some lucky circumstances I had some time + an idea how to approach this so
it was relatively quick - everything I said though about volunteer work and
free time still holds... :)
> SftpSubSystem::sendStatus leaks Exception information
> -----------------------------------------------------
>
> Key: SSHD-775
> URL: https://issues.apache.org/jira/browse/SSHD-775
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 1.6.0
> Reporter: Mark Ebbers
> Assignee: Goldstein Lyor
> Priority: Minor
> Labels: security
> Fix For: 1.7.0
>
>
> I'm using SSHD-core 1.6.0 in my own Sftp server implementation and make use
> of the rooted file-system. Now did I notice that a client did try to rename a
> file, which was no longer available, and got a response with the substatus
> SSH_FX_NO_SUCH_FILE and the message ' Internal NoSuchFileException:
> /srv/sftp/chroot/11738/file.txt'.
> As a client I now know the following two things:
> * The full path on the file-system.
> * The server was written in Java. (NoSuchFileException)
> I noticed that the SftpSubsystem.sendStatus(Buffer, int, Throwable) uses the
> SftpHelper.resolveStatusMessage() method to create a message string to be
> send to the client without further checking what information is inside the
> Exception message.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
