[openssh-commits] [openssh] 02/02: upstream: allow spaces to appear in usernames for local to remote,

[git+noreply at mindrot.org]

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit b67eb12f013c5441bb4f0893a97533582ad4eb13
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Mon Jul 5 00:25:42 2021 +0000

    upstream: allow spaces to appear in usernames for local to remote,
    
    and scp -3 remote to remote copies. with & ok dtucker bz#1164
    
    OpenBSD-Commit-ID: e9b550f3a85ffbb079b6720833da31317901d6dd
---
 scp.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/scp.c b/scp.c
index d23f34c1..cc2dcc37 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.214 2021/04/03 06:18:40 djm Exp $ */
+/* $OpenBSD: scp.c,v 1.215 2021/07/05 00:25:42 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -915,10 +915,6 @@ toremote(int argc, char **argv)
 			goto out;
 		}
 	}
-	if (tuser != NULL && !okname(tuser)) {
-		++errs;
-		goto out;
-	}
 
 	/* Parse source files */
 	for (i = 0; i < argc - 1; i++) {
@@ -953,6 +949,15 @@ toremote(int argc, char **argv)
 			(void) close(remout);
 			remin = remout = -1;
 		} else if (host) {	/* standard remote to remote */
+			/*
+			 * Second remote user is passed to first remote side
+			 * via scp command-line. Ensure it contains no obvious
+			 * shell characters.
+			 */
+			if (tuser != NULL && !okname(tuser)) {
+				++errs;
+				continue;
+			}
 			if (tport != -1 && tport != SSH_DEFAULT_PORT) {
 				/* This would require the remote support URIs */
 				fatal("target port not supported with two "

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.