It certainly is possible that if you use the FTP protocol and use another FTP program and upload your credentials file to the server it will be visible. The sftp-config.json is ignored unless the user explicitly opens the file, or right-clicks on it and uploads it.
Sublime text sftp stop download password#
I have also been working on the integration of various operating system password vaults to use for storing passwords in.Īs I explained above - with the default configuration, there is no security hole. It is on the list for the next feature release. I am aware of the feature request to store configuration in a different location that the local root of your project. The root problem needs to be addressed – not server-side patchwork to make up for the plug-in’s shortcoming. Essentially, they miss the point that having this open text file floating around on the server with FTP credentials is serious business. I saw thread posts above on preventing browser access via. There is no reason the sftp-config.json file needs to reside on the server. The server configuration file needs to exist once and in a local folder that is not a compromise to site security. Ideally, we would be able to store this file in the same place that the server credential’s copy of the sftp-config.json get stored so we do not need to have 2 copies of it on our local machine.Ĭurrently, on a Win7 machine, the sftp server file also exists at C:\Users\AppData\Roaming\Sublime Text 3\Packages\User\sftp_servers
The solution needs to be that the sftp-config.json gets stored above the document root. There is no way around this security hole given the current structure of the SFTP Plug-in. Each, any and every time you make a change to this sftp-config.json, it gets UPLOADED TO THE SERVER. When you create an STx project and you want FTP capabilities, you must create a sftp-config.json in a local folder that is the equivalent of the document root on the server. This issue is actually very, very serious. His behavior does not sound like much of a security “professional” to me. However, he never even attempted to contact me to raise his concern or ask for a response.
Supposedly he crawled and emailed developers for hundreds of sites. Just to reiterate, I highly recommend anyone using the plugin use SFTP with an SSH key.Īlso, the author of that blog has contemptible security practices. The market spoke and demanded FTP support, so I added it. I was not planning on supporting FTP due to the security issues related to it. If you notice, the plugin was originally designed to just be SFTP, hence the name SFTP. In the next release I am planning on offering an option or storing your configuration files in a separate location, and I have the intention of exploring integration with popular password vaults. SFTP without SSH keys requires that you either type in your password for every connection attempt, or you have it stored somewhere on disk. If you care about security, which you should, you should be using SFTP and SSH keys. It should be pretty obvious to most users to not do that… So you have to open the file and execute “Upload file” or right click on the file and click “Upload”. Just to be clear - the plugin NEVER uploads the the config file - unless you explicitly ask for the file to be uploaded.