aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEd Maste <emaste@FreeBSD.org>2019-12-13 20:45:45 +0000
committerEd Maste <emaste@FreeBSD.org>2019-12-13 20:45:45 +0000
commitae1f79038fb9c55810b8b71b4f64a7ce684414dd (patch)
tree1324be16e7a91ff4875e2cd226bd89ac2310014f
parent15afff1cd946ea3f7574450a2ecec454313d8199 (diff)
downloadsrc-ae1f79038fb9c55810b8b71b4f64a7ce684414dd.tar.gz
src-ae1f79038fb9c55810b8b71b4f64a7ce684414dd.zip
sftp: disallow creation (of empty files) in read-only mode
Direct commit to stable/11; already fixed in newer OpenSSH in 12 and later. PR: 233801 Reported by: Dani Obtained from: OpenBSD 1.111 Security: CVE-2017-15906
Notes
Notes: svn path=/stable/11/; revision=355731
-rw-r--r--crypto/openssh/sftp-server.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/openssh/sftp-server.c b/crypto/openssh/sftp-server.c
index 3619cdfc0ffe..a447ccc627c6 100644
--- a/crypto/openssh/sftp-server.c
+++ b/crypto/openssh/sftp-server.c
@@ -691,8 +691,8 @@ process_open(u_int32_t id)
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
- ((flags & O_ACCMODE) == O_WRONLY ||
- (flags & O_ACCMODE) == O_RDWR)) {
+ ((flags & O_ACCMODE) != O_RDONLY ||
+ (flags & (O_CREAT|O_TRUNC)) != 0)) {
verbose("Refusing open request in read-only mode");
status = SSH2_FX_PERMISSION_DENIED;
} else {