[Bug 1814] scp get file prepends -- before filename
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Dec 7 08:44:38 EST 2010
https://bugzilla.mindrot.org/show_bug.cgi?id=1814
petiepooo at yahoo.com <petiepooo at yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |petiepooo at yahoo.com
--- Comment #7 from petiepooo at yahoo.com <petiepooo at yahoo.com> 2010-12-07 08:44:38 EST ---
It seems like the fix is worse than the danger for this issue.
Patchset 3682 clearly breaks scp compatibility with a good portion of
the existing (difficult to upgrade) getopt-noncompliant routing
infrastructure in order to prevent a possible vulnerability with names
that start with a dash. Can anyone point me to an organization that
really uses user, host, or file names that start with a dash?
I didn't think so.. 8-)
There's a common expression I've heard about "throwing the baby out
with the bathwater." It seems that is what is happening here.
At the very least, could you check for existence of a name starting
with a character in the set [-?*] before adding the double-dash? I
think that would allow non-wildcard copies with getopt-noncompliant
implementations while still giving protection against names starting
with a dash. Not a perfect solution, but it would at keep
Nortel/Juniper users from having to maintain an out-of-date scp binary.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list