sftp setstat: guard against empty attrs

It seems that there are some clients that sends Setstat requests with no attrs: https://github.com/pkg/sftp/issues/325 I haven't never seen this myself, anyway we now return ErrSSHFxBadMessage and log the client version in such cases
2024-11-22 07:30:25 +00:00 · 2019-12-04 08:31:47 +01:00 · 2019-12-04 08:31:47 +01:00 · 39fc9b73e9
commit 39fc9b73e9
parent 80a5138115
2 changed files with 11 additions and 0 deletions
--- a/sftpd/handler.go
+++ b/sftpd/handler.go
@ -261,6 +261,11 @@ func (c Connection) handleSFTPSetstat(path string, request *sftp.Request) error
 	if setstatMode == 1 {
 		return nil
 	}
+	if len(request.Attrs) < 1 {
+		c.Log(logger.LevelInfo, logSender, "cannot handle Setstat request with no attrs, this is probably a buggy client: %v",
+			c.ClientVersion)
+		return sftp.ErrSSHFxBadMessage
+	}
 	attrFlags := request.AttrFlags()
 	if attrFlags.Permissions {
 		if !c.User.HasPerm(dataprovider.PermChmod) {
--- a/sftpd/internal_test.go
+++ b/sftpd/internal_test.go
@ -227,6 +227,12 @@ func TestSetstatModeIgnore(t *testing.T) {
 	if err != nil {
 		t.Errorf("unexpected error: %v setstat should be silently ignore in mode 1", err)
 	}
+	setstatMode = 0
+	req := sftp.NewRequest("Setstat", "invalid")
+	err = connection.handleSFTPSetstat("invalid", req)
+	if err != sftp.ErrSSHFxBadMessage {
+		t.Errorf("unexpected error: %v", err)
+	}
 	setstatMode = originalMode
 }