Skip to content

lock chroot#9

Merged
addrummond merged 1 commit intonodeftpd:masterfrom
asylumfunk:issue/9
Jan 31, 2014
Merged

lock chroot#9
addrummond merged 1 commit intonodeftpd:masterfrom
asylumfunk:issue/9

Conversation

@asylumfunk
Copy link
Copy Markdown
Collaborator

@asylumfunk asylumfunk commented Jan 31, 2014

prevent breach even with relative path for getInitialCwd

@asylumfunk
lock chroot
44ec521 
prevent breach even with relative path for getInitialCwd

fix #9
addrummond added a commit that referenced this pull request Jan 31, 2014
@addrummond
Merge pull request #9 from asylumfunk/issue/9
3464b3f 
lock chroot
@addrummond addrummond merged commit 3464b3f into nodeftpd:master Jan 31, 2014
@asylumfunk asylumfunk deleted the issue/9 branch January 31, 2014 02:23
@asylumfunk
Copy link
Copy Markdown
Collaborator Author

asylumfunk commented Jan 31, 2014

Thanks again!

@asylumfunk asylumfunk mentioned this pull request Mar 7, 2014
Closed
asylumfunk added a commit to asylumfunk/nodeftpd that referenced this pull request Mar 7, 2014
@asylumfunk
Confine MDTM request to files in CHROOT jail
322cf37 
This commit properly resolves MDTM request filenames to locations within
the CHROOT jail. Previously, requests were made relative to the
filesystem root (/), instead of the server root (/srv/files/from/here).

This allowed users to request MDTM on potentially sensitive files
(/root, /home), while simultaneously denying legitimate requests within
the shared directory.

Note: all filesystem calls *must* be joined with the path to the server
root (pathModule.join(self.root, filename)).

fix #28
ref nodeftpd@57a9e5f
ref nodeftpd#5
ref nodeftpd#9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@asylumfunk @addrummond