Bug#862249: Mounting an SFTP share with path may lead to data being deleted

Jonas Meurer jonas at freesources.org
Wed May 10 08:42:51 UTC 2017 

Package: nautilus
Version: 3.22.3-1
Severity: critical

Hello,

I just discovered a severe bug in the sftp protocol support of nautilus:

I tried to mount a remote folder via SFTP/SSH by using a syntax similar
to the following:

'sftp://<host>/path/to/directory'. Instead of displaying
'/path/to/directory' on the remote host, nautilus kept giving warnings
that it doesn't know what to do with file 'directory' and moved to the
home directory on the remote host.

I tried it with different syntax (colon between host and path, 'user@'
in front of host, using 'ssh://' instead of 'sftp://') and I tried both
using the 'Andere Orte' (something like 'different locations' in
english) and the address bar (<Ctrl>+<l>). One time nautilus even
crashed (the Files window got closed).

After some time, I went back to the remote console SSH session and was
shocked to realize that the whole directory '/path/to/directory' was
removed on the remote host. Luckily I had backups.

I don't have time to do further debugging right now as I'm quite busy,
but I will do further debugging and try to find a clear reproducer in
the following days.

Kind regards
 jonas

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nautilus depends on:
ii  desktop-file-utils         0.23-1
ii  gsettings-desktop-schemas  3.22.0-1
ii  gvfs                       1.30.4-1
ii  libatk1.0-0                2.22.0-1
ii  libc6                      2.24-10
ii  libcairo-gobject2          1.14.8-1
ii  libcairo2                  1.14.8-1
ii  libexempi3                 2.4.1-1
ii  libexif12                  0.6.21-2+b2
ii  libgail-3-0                3.22.11-1
ii  libgdk-pixbuf2.0-0         2.36.5-2
ii  libglib2.0-0               2.50.3-2
ii  libglib2.0-data            2.50.3-2
ii  libgnome-autoar-0-0        0.1.1-4+b1
ii  libgnome-desktop-3-12      3.22.2-1
ii  libgtk-3-0                 3.22.11-1
ii  libnautilus-extension1a    3.22.3-1
ii  libpango-1.0-0             1.40.5-1
ii  libselinux1                2.6-3+b1
ii  libtracker-sparql-1.0-0    1.10.5-1
ii  libx11-6                   2:1.6.4-3
ii  nautilus-data              3.22.3-1
ii  shared-mime-info           1.8-1

Versions of packages nautilus recommends:
ii  gnome-sushi      3.21.91-2
ii  gvfs-backends    1.30.4-1
ii  librsvg2-common  2.40.16-1+b1

Versions of packages nautilus suggests:
ii  brasero              3.12.1-4
ii  eog                  3.20.5-1+b1
ii  evince [pdf-viewer]  3.22.1-3
ii  nautilus-sendto      3.8.4-2+b1
ii  okular [pdf-viewer]  4:16.08.2-1+b1
ii  totem                3.22.1-1
ii  tracker              1.10.5-1
ii  vlc [mp3-decoder]    2.2.5-1
ii  xdg-user-dirs        0.15-2+b1

-- no debconf information

More information about the pkg-gnome-maintainers mailing list