scp -t . - possible idea for additional parameter

Damien Miller djm at mindrot.org
Fri Oct 12 09:19:35 EST 2007


On Thu, 11 Oct 2007, Larry Becke wrote:

> 
> On 2007-10-11 18:01, Larry Becke wrote:>> Can this be done? >Theoretically. See my previous message.I must have missed it.
> > Is it so terribly hard to add the feature?>It's not easy. See my previous message, and do a little research on path>canonicalization and past directory traversal vulnerabilities in, e.g.>IIS and Apache, to understand this better.
>  
> To throw an error and exit if "../" is in the remote path parameter?
> To add a "./" between hostname: and /path/to/dir in the remote path parameter?

That is probably insufficient and likely to break some software that
uses scp. You could use realpath(3) and compare the stem, but that has a
downside too: it will break on traverse-only directories.

Just to be clear, I have zero interest in making any feature additions
to scp and I think most of the developers feel the same way. It is a
difficult protocol to extend, and its use of a shell-expanded commandline
to inform it of which files to transfer makes it very brittle. Given its
very widespread use, I think it is best to leave it be and concentrate
efforts on making sftp/sftp-server a compelling substitute.

-d

PS. I don't know what mail client you are using, but it is mangling 
the quoting in your replies into an unreadable mess.


More information about the openssh-unix-dev mailing list