[Bug 1814] scp get file prepends -- before filename

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Dec 7 08:44:38 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1814

petiepooo at yahoo.com <petiepooo at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |petiepooo at yahoo.com

--- Comment #7 from petiepooo at yahoo.com <petiepooo at yahoo.com> 2010-12-07 08:44:38 EST ---
It seems like the fix is worse than the danger for this issue. 
Patchset 3682 clearly breaks scp compatibility with a good portion of
the existing (difficult to upgrade) getopt-noncompliant routing
infrastructure in order to prevent a possible vulnerability with names
that start with a dash.  Can anyone point me to an organization that
really uses user, host, or file names that start with a dash?

I didn't think so..  8-)

There's a common expression I've heard about "throwing the baby out
with the bathwater."  It seems that is what is happening here.

At the very least, could you check for existence of a name starting
with a character in the set [-?*] before adding the double-dash?  I
think that would allow non-wildcard copies with getopt-noncompliant
implementations while still giving protection against names starting
with a dash.  Not a perfect solution, but it would at keep
Nortel/Juniper users from having to maintain an out-of-date scp binary.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list