Is sshd supposed to interpret "{a,b}" brace expansions?

Peter Simons simons at
Wed Jan 30 22:34:17 AEDT 2019


the proposed fix for CVE-2019-6111 [1] adds file name validation to scp
to prevent the server from sending files that the client actually did
not request. Now, a consequence of that patch is that commands which
contain server-side brace expansions such as

    $ scp remote:'/etc/{passwd,group}' .
    error: unexpected filename: passwd

no longer work. Shell globs such as [abc], ?, *, and combinations
thereof still work fine, but {a,b} does not.

Is that a shortcoming of the patch? Or is it intended behavior?

I looked through various man pages, but I could not find any definite
statement about whether server-side brace expansion are supposed to work
on or not. Could someone please enlighten me?

Best regards,


More information about the openssh-unix-dev mailing list