asyncssh 2.23.0__tar.gz → 2.23.1__tar.gz

{asyncssh-2.23.0/asyncssh.egg-info → asyncssh-2.23.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: asyncssh
-Version: 2.23.0
+Version: 2.23.1
 Summary: AsyncSSH: Asynchronous SSHv2 client and server library
 Author-email: Ron Frederick <ronf@timeheart.net>
 License: EPL-2.0 OR GPL-2.0-or-later

{asyncssh-2.23.0 → asyncssh-2.23.1}/asyncssh/config.py

@@ -48,7 +48,8 @@ ConfigPaths = Union[None, FilePath, Sequence[FilePath]]
 
 
 _token_pattern = re.compile(r'%(.)')
-_env_pattern = re.compile(r'\${(.*)}')
+_env_pattern = re.compile(r'\${(.*?)}')
+_unsafe_user_pattern = re.compile(r'^\.\.$|^~|^[A-Za-z]:|[/\\]|\$\{.*?\}')
 
 
 def _exec(cmd: str) -> bool:
@@ -710,9 +711,22 @@ class SSHServerConfig(SSHConfig):
             return None
 
     def _set_tokens(self) -> None:
-        """Set the tokens available for percent expansion"""
+        """Set the tokens available for percent expansion
+
+           Only allow "safe" username substitutions. Unsafe usernames are:
+
+               - a username of exactly ".."
+               - a username beginning with a "~"
+               - a username beginning with a Windows drive letter and a ":"
+               - a username containing forward or backward slashes
+               - a username containing an env substitution like "${...}"
+
+           Note: this code assumes that saslprep has already been performed
+           on the username before it is accessed here.
+
+        """
 
-        if self._user == '..' or '/' in self._user or '\\' in self._user:
+        if _unsafe_user_pattern.search(self._user):
             raise IllegalUserName('Unsafe username substitution')
 
         self._tokens.update({'u': self._user})

{asyncssh-2.23.0 → asyncssh-2.23.1}/asyncssh/connection.py

@@ -553,7 +553,7 @@ async def _connect(options: _Options, config: DefTuple[ConfigPaths],
 async def _listen(options: _Options, config: DefTuple[ConfigPaths],
                   loop: asyncio.AbstractEventLoop, flags: int,
                   backlog: int, sock: Optional[socket.socket],
-                  reuse_address: bool, reuse_port: bool,
+                  reuse_address: Optional[bool], reuse_port: Optional[bool],
                   conn_factory: Callable[[], _Conn],
                   msg: str) -> 'SSHAcceptor':
     """Make inbound TCP or SSH tunneled listener"""
@@ -9353,7 +9353,8 @@ async def listen(host = '', port: DefTuple[int] = (), *,
                  tunnel: DefTuple[_TunnelListener] = (),
                  family: DefTuple[int] = (), flags:int = socket.AI_PASSIVE,
                  backlog: int = 100, sock: Optional[socket.socket] = None,
-                 reuse_address: bool = False, reuse_port: bool = False,
+                 reuse_address: Optional[bool] = None,
+                 reuse_port: Optional[bool] = None,
                  acceptor: _AcceptHandler = None,
                  error_handler: _ErrorHandler = None,
                  config: DefTuple[ConfigPaths] = (),
@@ -9411,7 +9412,7 @@ async def listen(host = '', port: DefTuple[int] = (), *,
            port other existing sockets are bound to, so long as they all
            set this flag when being created. If not specified, the
            default is to not allow this. This option is not supported
-           on Windows or Python versions prior to 3.4.4.
+           on Windows.
        :param acceptor: (optional)
            A `callable` or coroutine which will be called when the
            SSH handshake completes on an accepted connection, taking
@@ -9441,8 +9442,8 @@ async def listen(host = '', port: DefTuple[int] = (), *,
        :type flags: flags to pass to :meth:`getaddrinfo() <socket.getaddrinfo>`
        :type backlog: `int`
        :type sock: :class:`socket.socket` or `None`
-       :type reuse_address: `bool`
-       :type reuse_port: `bool`
+       :type reuse_address: `bool` or `None`
+       :type reuse_port: `bool` or `None`
        :type acceptor: `callable` or coroutine
        :type error_handler: `callable`
        :type config: `list` of `str`
@@ -9478,7 +9479,8 @@ async def listen_reverse(host = '', port: DefTuple[int] = (), *,
                          family: DefTuple[int] = (),
                          flags: int = socket.AI_PASSIVE, backlog: int = 100,
                          sock: Optional[socket.socket] = None,
-                         reuse_address: bool = False, reuse_port: bool = False,
+                         reuse_address: Optional[bool] = None,
+                         reuse_port: Optional[bool] = None,
                          acceptor: _AcceptHandler = None,
                          error_handler: _ErrorHandler = None,
                          config: DefTuple[ConfigPaths] = (),
@@ -9545,7 +9547,7 @@ async def listen_reverse(host = '', port: DefTuple[int] = (), *,
            port other existing sockets are bound to, so long as they all
            set this flag when being created. If not specified, the
            default is to not allow this. This option is not supported
-           on Windows or Python versions prior to 3.4.4.
+           on Windows.
        :param acceptor: (optional)
            A `callable` or coroutine which will be called when the
            SSH handshake completes on an accepted connection, taking
@@ -9580,8 +9582,8 @@ async def listen_reverse(host = '', port: DefTuple[int] = (), *,
        :type flags: flags to pass to :meth:`getaddrinfo() <socket.getaddrinfo>`
        :type backlog: `int`
        :type sock: :class:`socket.socket` or `None`
-       :type reuse_address: `bool`
-       :type reuse_port: `bool`
+       :type reuse_address: `bool` or `None`
+       :type reuse_port: `bool` or `None`
        :type acceptor: `callable` or coroutine
        :type error_handler: `callable`
        :type config: `list` of `str`

{asyncssh-2.23.0 → asyncssh-2.23.1}/asyncssh/scp.py

@@ -136,6 +136,10 @@ def _parse_cd_args(args: bytes) -> Tuple[int, int, bytes]:
 
     try:
         permissions, size, name = args.split(None, 2)
+
+        if b'/' in name or b'\\' in name or name == b'..':
+            raise _scp_error(SFTPBadMessage, 'Invalid filename')
+
         return int(permissions, 8), int(size), name
     except ValueError:
         raise _scp_error(SFTPBadMessage,

{asyncssh-2.23.0 → asyncssh-2.23.1}/asyncssh/sftp.py

@@ -7009,6 +7009,14 @@ class SFTPServer:
        tree. This will also affect path names returned by the
        :meth:`realpath` and :meth:`readlink` methods.
 
+
+           .. note:: AsyncSSH prevents creation of links to files outside
+                     of the selected chroot directory. However, pre-existing
+                     links inside the chroot which point outside of it will
+                     be followed. To completely isolate access to only the
+                     specified chroot, pre-existing links like this should
+                     be avoided.
+
     """
 
     # The default implementation of a number of these methods don't need self

{asyncssh-2.23.0 → asyncssh-2.23.1}/asyncssh/version.py

@@ -26,4 +26,4 @@ __author_email__ = 'ronf@timeheart.net'
 
 __url__ = 'http://asyncssh.timeheart.net'
 
-__version__ = '2.23.0'
+__version__ = '2.23.1'

{asyncssh-2.23.0 → asyncssh-2.23.1/asyncssh.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: asyncssh
-Version: 2.23.0
+Version: 2.23.1
 Summary: AsyncSSH: Asynchronous SSHv2 client and server library
 Author-email: Ron Frederick <ronf@timeheart.net>
 License: EPL-2.0 OR GPL-2.0-or-later

{asyncssh-2.23.0 → asyncssh-2.23.1}/docs/changes.rst

@@ -3,7 +3,21 @@
 Change Log
 ==========
 
-Release 2.23.0 (8 Feb 2026)
+Release 2.23.1 (6 Jun 2026)
+---------------------------
+
+* Fixed an SCP path traversal issue. Thanks go to Jaden Furtado for
+  reporting this issue.
+
+* Expanded previous fix to block unsafe user substitutions in server
+  config. Thanks go to GitHub user cesabici-bit for reporting this
+  issue.
+
+* Fixed default value for reuse_address and reuse_port, matching
+  the behaavior of asyncio.create_server(). Thanks go to Alexander
+  Shlemin for reporting the inconsistency.
+
+Release 2.23.0 (8 May 2026)
 ---------------------------
 
 * Added support for "Match localnetwork". Thanks go to Théophile Bastian

{asyncssh-2.23.0 → asyncssh-2.23.1}/tests/test_config.py

@@ -547,9 +547,10 @@ class _TestClientConfig(_TestConfig):
     def test_env_expansion(self):
         """Test environment variable expansion"""
 
-        config = self._parse_config('RemoteCommand ${HOME}/.ssh')
+        config = self._parse_config(
+            'RemoteCommand ${HOME}/${USERPROFILE}/.ssh')
 
-        self.assertEqual(config.get('RemoteCommand'), './.ssh')
+        self.assertEqual(config.get('RemoteCommand'), '././.ssh')
 
     def test_invalid_env_expansion(self):
         """Test invalid environment variable expansion"""
@@ -598,10 +599,13 @@ class _TestServerConfig(_TestConfig):
         config = self._parse_config('Match address 127.0.0.0/8\nPermitTTY no')
         self.assertEqual(config.get('PermitTTY'), False)
 
-    def test_illegal_user(self):
-        """Test update of match options"""
+    def test_unsafe_user(self):
+        """Test unsafe characters in username"""
+
+        for user in ('xxx..yyy', 'xxx~yyy', 'Cxxx:'):
+            self._parse_config('AuthorizedKeysFile %u', user=user)
 
-        for user in ('..', '/xxx', '\\xxx'):
+        for user in ('..', '~xxx', 'C:xxx', '/xxx', '\\xxx', '${xxx}'):
             with self.assertRaises(asyncssh.IllegalUserName):
                 self._parse_config('AuthorizedKeysFile %u', user=user)
 

{asyncssh-2.23.0 → asyncssh-2.23.1}/tests/test_sftp.py

@@ -5737,6 +5737,9 @@ class _TestSCPErrors(_CheckSCP):
 
                 if command.endswith('get_connection_lost'):
                     pass
+                elif command.endswith('get_invalid_filename_response'):
+                    await process.stdin.read(1)
+                    process.stdout.write('C0644 0 ../src\n')
                 elif command.endswith('get_dir_no_recurse'):
                     await process.stdin.read(1)
                     process.stdout.write('D0755 0 src\n')
@@ -5772,6 +5775,17 @@ class _TestSCPErrors(_CheckSCP):
 
         return await cls.create_server(process_factory=_handle_client)
 
+    @asynctest
+    async def test_get_invalid_filename_response(self):
+        """Test receiving directory when recurse wasn't requested"""
+
+        try:
+            with self.assertRaises((SFTPBadMessage, SFTPConnectionLost)):
+                await scp((self._scp_server, 'get_invalid_filename_response'),
+                          'dst')
+        finally:
+            remove('dst')
+
     @asynctest
     async def test_get_directory_without_recurse(self):
         """Test receiving directory when recurse wasn't requested"""