mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2026-01-12 15:52:39 -07:00
Code Issues Actions Packages Projects Releases Wiki Activity

sftp: loosen stat restrictions (#1170);

Browse source 
some sftp clients always expect correct stat results, even in
write-only folders, so this slight info-leak must be allowed
This commit is contained in:
ed 2026-01-07 20:56:51 +00:00
parent 13055c6451
commit 9030828494
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
copyparty/sftpd.py
View file

@ -420,16 +420,23 @@ class SFTP_Srv(paramiko.SFTPServerInterface):
def _stat(self, vp: str) -> SATTR | int: def _stat(self, vp: str) -> SATTR | int:
try: try:
ap = self.v2a(vp, r=True)[0] ap, vn, _ = self.v2a(vp)
if (
self.uname not in vn.axs.uread
and self.uname not in vn.axs.uwrite
and self.uname not in vn.axs.uget
):
self.log("stat(%s): EPERM" % (vp,))
return SFTP_PERMISSION_DENIED
st = bos.stat(ap) st = bos.stat(ap)
self.log("stat(%s): %s" % (vp, st))
except: except:
if vp.strip("/") or self.asrv.vfs.realpath: if vp.strip("/") or self.asrv.vfs.realpath:
try: self.log("stat(%s): ENOENT" % (vp,))
self.v2a(vp, w=True)[0] return SFTP_NO_SUCH_FILE
except:
return SFTP_PERMISSION_DENIED
zi = int(time.time()) zi = int(time.time())
st = os.stat_result((16877, -1, -1, 1, 1000, 1000, 8, zi, zi, zi)) st = os.stat_result((16877, -1, -1, 1, 1000, 1000, 8, zi, zi, zi))
self.log("stat(%s): vfs-root")
return SATTR.from_stat(st) return SATTR.from_stat(st)
def open(self, path: str, flags: int, attr: SATTR) -> paramiko.SFTPHandle | int: def open(self, path: str, flags: int, attr: SATTR) -> paramiko.SFTPHandle | int: