I saw thread posts above on preventing browser access via.
There is no reason the sftp-config.json file needs to reside on the server. The server configuration file needs to exist once and in a local folder that is not a compromise to site security. Ideally, we would be able to store this file in the same place that the server credential’s copy of the sftp-config.json get stored so we do not need to have 2 copies of it on our local machine.Ĭurrently, on a Win7 machine, the sftp server file also exists at C:\Users\AppData\Roaming\Sublime Text 3\Packages\User\sftp_servers The solution needs to be that the sftp-config.json gets stored above the document root. There is no way around this security hole given the current structure of the SFTP Plug-in. Each, any and every time you make a change to this sftp-config.json, it gets UPLOADED TO THE SERVER. When you create an STx project and you want FTP capabilities, you must create a sftp-config.json in a local folder that is the equivalent of the document root on the server. This issue is actually very, very serious. His behavior does not sound like much of a security “professional” to me. However, he never even attempted to contact me to raise his concern or ask for a response. Supposedly he crawled and emailed developers for hundreds of sites. Just to reiterate, I highly recommend anyone using the plugin use SFTP with an SSH key.Īlso, the author of that blog has contemptible security practices. The market spoke and demanded FTP support, so I added it. I was not planning on supporting FTP due to the security issues related to it. If you notice, the plugin was originally designed to just be SFTP, hence the name SFTP. In the next release I am planning on offering an option or storing your configuration files in a separate location, and I have the intention of exploring integration with popular password vaults.
SFTP without SSH keys requires that you either type in your password for every connection attempt, or you have it stored somewhere on disk. If you care about security, which you should, you should be using SFTP and SSH keys. It should be pretty obvious to most users to not do that… So you have to open the file and execute “Upload file” or right click on the file and click “Upload”. Just to be clear - the plugin NEVER uploads the the config file - unless you explicitly ask for the file to be uploaded.
0 kommentar(er)
