VDB
KO
MEDIUM 5.9

GHSA-h64p-8h4r-6gfh

SFTPGo has path confinement bypass in public browsable share partial ZIP download

Details

## Summary

The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name.

## Patches

Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary–aware check.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/drakkan/sftpgo/v2
Introduced in: 2.2.0 Fixed in: 2.7.3
Fix go get github.com/drakkan/sftpgo/v2@v2.7.3

References