You can find the bug by doing following:
1. stty -echo
2. sftp user@server
key in password as required.
3. cd /
4. ls -l
5. bye
6. stty -a

By right, the sftp commands entered in step 3-5 and the command entered after sftp exits at step 6 shouldn't be visible, but they do.
I tested sftp on other UNIX/Linux platforms, found Solaris/AIX/HP-UX and RHEL 5.5 all work properly. So this bug needs be fixed.