Is sshd supposed to interpret "{a,b}" brace expansions?
Peter Simons
simons at nospf.cryp.to
Wed Jan 30 22:34:17 AEDT 2019
Hi,
the proposed fix for CVE-2019-6111 [1] adds file name validation to scp
to prevent the server from sending files that the client actually did
not request. Now, a consequence of that patch is that commands which
contain server-side brace expansions such as
$ scp remote:'/etc/{passwd,group}' .
error: unexpected filename: passwd
no longer work. Shell globs such as [abc], ?, *, and combinations
thereof still work fine, but {a,b} does not.
Is that a shortcoming of the patch? Or is it intended behavior?
I looked through various man pages, but I could not find any definite
statement about whether server-side brace expansion are supposed to work
on or not. Could someone please enlighten me?
Best regards,
Peter
[1] https://sintonen.fi/advisories/scp-name-validator.patch
More information about the openssh-unix-dev
mailing list