Description
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest version
- Search the existing issues.
Steps to reproduce
-
Create test user account
-
Turn on Developer Mode
-
Load into sshd_config:
Match User test
ForceCommand internal-sftp
ChrootDirectory %h
(In fact any writable directory will do, or even a writable subdirectory, but with different steps to reproduce)
-
Log in with sftp
-
Run the following commands
sftp>ln -s .. parent
sftp>ls ..Expected behavior
shows listing of c:\users\test
Actual behavior
shows listing of c:\users
Error details
No error message generated
Environment data
Not applicable; powershell itself is not in the reproduction steps
Version
OpenSSH_for_Windows_9.8p1 Win32-OpenSSH-GitHub, LibreSSL 3.9.2
Additional Info
MSRC Case 91638 reports: Not a vulnerability
This is still a bug. The behavior of .. bouncing off the root is well-known and stuff depends on this working.
In order to test this on unix systems, currently ChrootDirectory %h on unix systems currently requires the home directory
to be owned by root and not writable by anybody else, so this needs to be tested with a writable subdirectory:
# chown root ~test
# chown chmod 755 ~test
# mkdir ~test/sub
# chown test ~test/sub
# sftp loalhost
sftp>ln -s ../.. sub/grandparent
sftp>ls sub/grandparent
(lists /home/test but on Windows lists C:\Users)Additional test cases (to avoid breaking something else)
sftp>ln -s root /
sftp>ls root
(should list C:\Users\test and does)sftp>mkdir aaa
sftp>ln -s ../Documents aaa/docs
sftp>ls aaa/docs
(should list C:\Users\test\Documents and does)