file name handling "bug" in scp?
dtucker at zip.com.au
Tue Jul 26 12:59:48 EST 2005
Evaldo Gardenali wrote:
> My point is... shouldn't scp prevent expansion in the remote side?
It can't. Since the file (or directory) name is passed as a
command-line argument to the remote scp, it would require escaping the
filename. This is shell-specific, and scp has no knowledge of what the
remote shell is going to do.
> This allows users of sites that prevent them from logging in via ssh or
> running remote commands to abuse scp and actually run what they wanted.
> Some people allow you to use scp/sftp to do file transfer, but not to
> run vanity commands on their servers. This happens a lot in companies I
Those that do must be using some mechanism to allow only scp (eg a
correctly configured general-purpose restricted shell, or a special
purpose shell such as scponly or rssh). If they process shell backticks
then that's a problem with them.
sftp is less problematic in this regard since it's a well-defined
protocol and doesn't require a shell to parse filenames at all.
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev