Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Make private key URL access play nice with sandboxing.

  • Loading branch information...
commit cac15cd1d7c9b563c06a3a53743794c2c115db1d 1 parent 8db2445
@mikeabdullah mikeabdullah authored
Showing with 17 additions and 1 deletion.
  1. +1 −0  CK2SFTPSession.h
  2. +16 −1 CK2SFTPSession.m
View
1  CK2SFTPSession.h
@@ -123,6 +123,7 @@ extern NSString *const CK2SSHAuthenticationSchemePassword;
// Upon the initial challenge, the first thing to do is check the hostkey's fingerprint against known hosts. Your app may have it hard coded, may go to a file, may present it to the user, that's your call. -checkHostFingerprint: is probably a good bet
// Note that NSURLCredentialStorage doesn't yet support SSH, so you will probably have to fetch the credential yourself from the keychain
+// SANDBOXING: If you supply a private key URL, the session will automatically call -startAccessingSecurityScopedResource as needed while using the key. This does *not* apply to public key URLs, since there shouldn't be a need to supply them
- (void)SFTPSession:(CK2SFTPSession *)session didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge;
- (void)SFTPSession:(CK2SFTPSession *)session didCancelAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge;
View
17 CK2SFTPSession.m
@@ -1064,7 +1064,8 @@ - (BOOL)useSSHAgentToAuthenticateUser:(NSString *)user error:(NSError **)error;
- (BOOL)usePublicKeyCredential:(NSURLCredential *)credential error:(NSError **)error;
{
- NSString *privateKey = [[credential ck2_privateKeyURL] path];
+ NSURL *privateKeyURL = [credential ck2_privateKeyURL];
+ NSString *privateKey = [privateKeyURL path];
NSString *publicKey = [[credential ck2_publicKeyURL] path];
if (!privateKey)
@@ -1073,6 +1074,17 @@ - (BOOL)usePublicKeyCredential:(NSURLCredential *)credential error:(NSError **)e
}
else
{
+ // When sandboxed, gain access to the URL temporarily
+ BOOL access = NO;
+ if ([privateKeyURL respondsToSelector:@selector(startAccessingSecurityScopedResource)])
+ {
+ access = [privateKeyURL startAccessingSecurityScopedResource];
+ if (!access)
+ {
+ NSLog(@"Unable to start accessing private key: %@", [privateKeyURL path]);
+ }
+ }
+
NSString *password = [credential password];
int result = libssh2_userauth_publickey_fromfile(_session,
@@ -1080,6 +1092,9 @@ - (BOOL)usePublicKeyCredential:(NSURLCredential *)credential error:(NSError **)e
[publicKey fileSystemRepresentation],
[privateKey fileSystemRepresentation],
[password UTF8String]);
+
+ if (access) [privateKeyURL stopAccessingSecurityScopedResource];
+
if (result)
{
if (error) *error = [self sessionError];
Please sign in to comment.
Something went wrong with that request. Please try again.