file name handling "bug" in scp?

Darren Tucker dtucker at
Tue Jul 26 12:59:48 EST 2005

Evaldo Gardenali wrote:
> My point is... shouldn't scp prevent expansion in the remote side?

It can't.  Since the file (or directory) name is passed as a 
command-line argument to the remote scp, it would require escaping the 
filename.   This is shell-specific, and scp has no knowledge of what the 
remote shell is going to do.

> This allows users of sites that prevent them from logging in via ssh or 
> running remote commands to abuse scp and actually run what they wanted.
> Some people allow you to use scp/sftp to do file transfer, but not to 
> run vanity commands on their servers. This happens a lot in companies I 
> know.

Those that do must be using some mechanism to allow only scp (eg a 
correctly configured general-purpose restricted shell, or a special 
purpose shell such as scponly or rssh).  If they process shell backticks 
then that's a problem with them.

sftp is less problematic in this regard since it's a well-defined 
protocol and doesn't require a shell to parse filenames at all.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list