Status of SCP vulnerability

Ben Lindstrom mouring at
Thu Jan 24 05:35:13 AEDT 2019

I worked on a proposal like this a few years back (including proof of 
concept code).  I taught sftp to have an scp personality (closer to scp2 
than scp), and it was rejected by the higher ups.  It may have been the 
dual-personality issue, but I know the scp2 concept was also rejected at 
the time as it was stated there should be one transfer tool.

But the only way to drag scp into this century is pretty much a scp2 
style interface.  As mimic all the stupidity of shell escape handling 
for wildcard matching while using sftp protocol is asking for brokenness 
in strange ways.  This is why scp2 was created by SSH Corp.


Colin Watson wrote on 1/23/19 12:00 PM:
> On Wed, Jan 23, 2019 at 06:29:29PM +0100, Christoph Anton Mitterer wrote:
>> So isn't it possibly to fully fix scp?
> IMO a complete fix should involve converting scp to use the SFTP
> protocol under the hood.  PuTTY's pscp takes this approach.  I started
> working on a similar patch to OpenSSH some years ago but never got
> around to finishing it.
> (Yes, a traditional scp client invokes scp on the server as part of its
> protocol; but it passes special -f or -t options when it does so, so
> that doesn't preclude having scp speak the SFTP protocol when invoked in
> the ordinary way.)

More information about the openssh-unix-dev mailing list