Security problem

[shargon]

This library have a hight security problem, exposed in this spanish blog "https://www.fwhibbit.es/0day-senor-tiname-el-sobrero-rfi-por-ssh"

SCP accept any name, and could produce a RFI in scenario like this

https://youtu.be/gKnDuLy4bwk

There is no check of the file name at "https://github.com/hierynomus/sshj/blob/master/src/main/java/net/schmizz/sshj/xfer/scp/SCPDownloadClient.java#L156" and "

sshj/src/main/java/net/schmizz/sshj/xfer/FileSystemFile.java

Line 157 in c9775ca

throws IOException {

"

[hierynomus]

Thanks for notifying me. I'll patch and release it as soon as possible. Shouldn't be too hard.

Do you know whether there is a good English translation available of the security leak?

Sent from my Samsung SM-G950F using FastHub

[hierynomus]

Hi @shargon I've made a PR for this, can you check whether this fixes the problem?

Thanks!

[shargon]

Thanks for the quickly fix of the bug, the problem for test it, its that im not expert Java programmer (only in android) and i found this bug via HackerOne.

But i can see your test, and aparently are ok, if the method receibe the download of a file 'foo' can't get 'bar' or similar, only the 'foo' file must be right

If you see the video at 26 second "https://www.youtube.com/watch?v=gKnDuLy4bwk&feature=youtu.be&t=26s" you can see the attack, provide a fake name for produce the save in other path

GOOD WORK

Sorry for my english