[
https://issues.apache.org/jira/browse/SSHD-775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16196547#comment-16196547
]
Mark Ebbers commented on SSHD-775:
----------------------------------
Thanks for the tip in I will dive into this.
{quote}I'll start working on it, though I don't know when it will be ready - we
are all volunteers in this project and must find the time to introduce this
feature. Meanwhile, if it is something your project is in dire need of you can
sub-class SftpSubSystem and override its sendStatus method...{quote}
Looks very good and my complements for the quick implementation! (y)
{quote}See
https://github.com/apache/mina-sshd/commit/2529a4c3da8635ca350cd85ae76b0df5ac3b39d0{quote}
> SftpSubSystem::sendStatus leaks Exception information
> -----------------------------------------------------
>
> Key: SSHD-775
> URL: https://issues.apache.org/jira/browse/SSHD-775
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 1.6.0
> Reporter: Mark Ebbers
> Assignee: Goldstein Lyor
> Priority: Minor
> Labels: security
> Fix For: 1.7.0
>
>
> I'm using SSHD-core 1.6.0 in my own Sftp server implementation and make use
> of the rooted file-system. Now did I notice that a client did try to rename a
> file, which was no longer available, and got a response with the substatus
> SSH_FX_NO_SUCH_FILE and the message ' Internal NoSuchFileException:
> /srv/sftp/chroot/11738/file.txt'.
> As a client I now know the following two things:
> * The full path on the file-system.
> * The server was written in Java. (NoSuchFileException)
> I noticed that the SftpSubsystem.sendStatus(Buffer, int, Throwable) uses the
> SftpHelper.resolveStatusMessage() method to create a message string to be
> send to the client without further checking what information is inside the
> Exception message.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
