[Bug 3693] Is SFTP local command execution implemented based on an RFC protocol?

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 30 17:49:15 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3693

--- Comment #4 from renmingshuai <rmsh1216 at 163.com> ---
(In reply to Damien Miller from comment #3)
> I'm still not understanding. How is this an exploit? This looks like
> something the user has configured themselves.

This is really user configured themselves. The user write the expect
script to interact with the sftp. The direct cause of this problem is
that the expect script incorrectly matches the keyword from banner
message. Is the client allowed to provide an new option to allow user
to explicitly disable the display of banners from the server? This is
in accordance with section 5.4 of rfc4252. If it's allowed, I can
provide the new option.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list