[Bug 1754] Can not copy from directories with space.

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Apr 11 18:05:21 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1754

--- Comment #4 from Darren Tucker <dtucker at zip.com.au> 2010-04-11 18:05:20 EST ---
(In reply to comment #2)
> I think, that when issuing command on remote shell, scp SHOULD escape
> strings.

You can't reliably do this: there's no way for scp to know what the
remote shell is and thus what its escaping rules are.  There's no
guarantee it has the same rules as the local shell.

(In reply to comment #3)
> If not, it is security vulnerability - suppose one have automatic scp
> commands on some server. Specifying bad file name may cause executing
> commands or accessing files on remote side.

If the (restricted) shell you're using allows executing commands based
on the content of the filenames then you have a problem with either the
shell or its config.  Also, relying on client-side escaping as a
security measure is worthless even if you could do it reliably, which
you can't.

> double-quoting may cause compatibility problems in future, when this
> bug will be eliminated.

This is fundamentally unfixable within the scp "protocol", such as it
is.  If this bugs you then use sftp instead since the filename are
encoded in a defined way within the protocol and not subject to the
vagaries of shell processing.

See http://www.openssh.com/faq.html#2.10

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list