sftp quote parsing broken in OpenSSH 3.7.1 portable

Andrew Mortensen admorten at umich.edu
Fri Sep 19 05:07:48 EST 2003 

In 3.7.1 portable, sftp no longer correctly parses filenames enclosed 
in quotation marks. Below is an short transcript describing the bug.

sftp> ls
                     .                   ..                  
test_archive.tgz
sftp> get "test_archive.tgz"
Unterminated quote
sftp> get "test_archive.tgz" "test_archive.tgz"
Fetching /Users/admorten/testdir/test_archive.tgz to
/Users/admorten/testdir/test_archive.tgz      100%  773KB   0.0KB/s   
00:00
sftp> lls -l
total 780
-rw-r--r--    1 admorten staff      791161 Sep 18 14:49
sftp> get test_archive.tgz
Fetching /Users/admorten/testdir/test_archive.tgz to test_archive.tgz
/Users/admorten/testdir/test_archive.tgz      100%  773KB   0.0KB/s   
00:00
sftp> lls -l
total 1560
-rw-r--r--    1 admorten staff      791161 Sep 18 14:49
-rw-r--r--    1 admorten staff      791161 Sep 18 14:51 test_archive.tgz
sftp>

--

The problem is that the position counter in sftp-int.c is not 
incremented when the terminating quote is located. This causes the 
"Unterminated quote" error when no destination is given. When a 
destination is given, and is also wrapped in quotes, the characters 
between the terminating quote of the source and the beginning quote of 
the destination are taken to be the destination filename, resulting in 
writes, above, to a file named " ". This behavior can also be 
demonstrated using only three quotes:

sftp> get "test_archive.tgz"New_test_archive.tgz"
Fetching /Users/admorten/testdir/test_archive.tgz to 
New_test_archive.tgz
/Users/admorten/testdir/test_archive.tgz      100%  773KB   0.0KB/s   
00:00
sftp> lls -l
total 2340
-rw-r--r--    1 admorten staff      791161 Sep 18 14:49
-rw-r--r--    1 admorten staff      791161 Sep 18 14:57 
New_test_archive.tgz
-rw-r--r--    1 admorten staff      791161 Sep 18 14:51 test_archive.tgz
sftp>

Below is a patch fixing the increment:

--- sftp-int-orig.c     Thu Sep 18 13:52:40 2003
+++ sftp-int.c  Thu Sep 18 13:53:11 2003
@@ -351,6 +351,7 @@
                 for (i = j = 0; i <= strlen(cp); i++) {
                         if (cp[i] == quot) {    /* Found quote */
                                 (*path)[j] = '\0';
+                               i++;
                                 break;
                         }
                         if (cp[i] == '\0') {    /* End of string */


andrew

More information about the openssh-unix-dev mailing list