Security problem #341
Comments
|
Thanks for notifying me. I'll patch and release it as soon as possible. Shouldn't be too hard. Do you know whether there is a good English translation available of the security leak? Sent from my Samsung SM-G950F using FastHub |
|
Hi @shargon I've made a PR for this, can you check whether this fixes the problem? Thanks! |
|
Thanks for the quickly fix of the bug, the problem for test it, its that im not expert Java programmer (only in android) and i found this bug via HackerOne. But i can see your test, and aparently are ok, if the method receibe the download of a file 'foo' can't get 'bar' or similar, only the 'foo' file must be right If you see the video at 26 second "https://www.youtube.com/watch?v=gKnDuLy4bwk&feature=youtu.be&t=26s" you can see the attack, provide a fake name for produce the save in other path GOOD WORK Sorry for my english |
* Check whether filename is a child of the current file (Fixes hierynomus#341) * Fixed codacy * Updated README release notes * Removed oraclejdk7 as that is no longer supported on trusty, added openjdk * Added gradle caching to travis config * Removed use of DataTypeConverter as that is no longer in default JDK9 * Removed build of broken openJDK7 in favour of using animal-sniffer to detect java 1.6 compatibility * Improved test stability * Correctly determine KeyType for ECDSA public key (Fixes hierynomus#356) * fixed build * Fixed Java9 build? * Disambiguated signature initialization * Removed deprecated method * Organised imports * Added 'out/' to gitignore * Added support for new-style fingerprints (hierynomus#365) * Added support for new-style fingerprints * Fixed codacy warnings * Fix decoding signature bytes (Fixes hierynomus#355, hierynomus#354) (hierynomus#361) * Fix for signature verify in DSA * Cleaned up signature verification * Fixed import * Ignored erroneous pmd warnings * Updated JavaDoc * Extracted ASN.1/DER encoding to method (hierynomus#368) * Update net.i2p.crypto:eddsa to 0.2.0 (hierynomus#372) * Update net.i2p.crypto:eddsa to 0.2.0 * Update net.i2p.crypto.eddsa to 0.2.0 * Update net.i2p.crypto.eddsa to 0.2.0 * Update net.i2p.crypto.eddsa to 0.2.0 * Log security provider registration failures (hierynomus#374) * Migrate remaining block ciphers * Updated README for v0.23.0 release * Using new release plugin * Updated build plugins * Fix escaping in WildcardHostMatcher (hierynomus#382) * Escape '[' and ']' in WildcardHostMatcher * Anchoring regex to match entire string (Fixes hierynomus#381) * Updated builds to include CodeCov * - Experimenting with travis * - fix ip for online testing * - account for different working dir * - yaml-yaml * - double before_install * - still -d * - try common format * - Fixed server keys - Use sshj branding * - grr, ip * - minor improvements * - eh? * - switch username back * - orly? * - desperation * - One more time * Upgraded gradle to cope with java9 * Separated out integration tests * Fixed length bug in putString (Fixes hierynomus#187) * Removed docker from travis yml as it is included in gradle build now * Added integration test to travis * Update AndroidConfig (hierynomus#389) * Add EdDSA signature for AndroidConfig. * Initialize KeyExchange- and FileKeyProviderFactories with registered "bouncyCastle" (in fact, SpongyCastle is registered). See hierynomus#308 for discussion. * Added integration test for append scenario (Fixes hierynomus#390) * Fixed headers
This library have a hight security problem, exposed in this spanish blog "https://www.fwhibbit.es/0day-senor-tiname-el-sobrero-rfi-por-ssh"
SCP accept any name, and could produce a RFI in scenario like this
https://youtu.be/gKnDuLy4bwk
There is no check of the file name at "https://github.com/hierynomus/sshj/blob/master/src/main/java/net/schmizz/sshj/xfer/scp/SCPDownloadClient.java#L156" and "
sshj/src/main/java/net/schmizz/sshj/xfer/FileSystemFile.java
Line 157 in c9775ca
The text was updated successfully, but these errors were encountered: