SFTP root escape via prefix-based path validation in goshs

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files. The SFTP subsystem routes requests through sftpserver/sftpserver.go into DefaultHandler.GetHandler() in sftpserver/handler.go, which forwards file operations into readFile, writeFile, listFile, and cmdFile. All of those sinks rely on sanitizePath() in sftpserver/helper.go. helper.go uses a raw string-prefix comparison, not a directory-boundary check. Because of that, if the configured root is /tmp/goshsroot, then a sibling path such as /tmp/goshsroot_evil/secret.txt incorrectly passes validation since it starts with the same byte prefix. This vulnerability is fixed in 2.0.0-beta.6.

N/A

对路径名的限制不恰当(路径遍历)

goshs 路径遍历漏洞

goshs是Patrick Hener个人开发者的一个用Go编写的简单HTTP Server。 goshs 2.0.0-beta.6之前版本存在路径遍历漏洞，该漏洞源于SFTP子系统sanitizePath函数使用基于前缀的路径验证，可能导致经过身份验证的SFTP用户读写配置根目录之外的文件系统路径。

N/A

N/A