MEDIUM 5.9
GHSA-h64p-8h4r-6gfh
SFTPGo has path confinement bypass in public browsable share partial ZIP download
Details
## Summary
The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's canonical path begins with the shared directory's name.
## Patches
Fixed in v2.7.3. The fix replaces the raw prefix check with a directory-boundary–aware check.
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/drakkan/sftpgo/v2
Introduced in:
2.2.0 Fixed in: 2.7.3 Fix
go get github.com/drakkan/sftpgo/v2@v2.7.3