Is sshd supposed to interpret "{a,b}" brace expansions?

Damien Miller djm at
Thu Jan 31 09:58:35 AEDT 2019

On Wed, 30 Jan 2019, Peter Simons wrote:

> Hi,
> the proposed fix for CVE-2019-6111 [1] adds file name validation to scp
> to prevent the server from sending files that the client actually did
> not request.

That's _a_ proposed fix, but not the one we used.

Ours is:

> Now, a consequence of that patch is that commands which
> contain server-side brace expansions such as
>     $ scp remote:'/etc/{passwd,group}' .
>     error: unexpected filename: passwd
> no longer work. Shell globs such as [abc], ?, *, and combinations
> thereof still work fine, but {a,b} does not.
> Is that a shortcoming of the patch? Or is it intended behavior?

It's basically an inevitability that some patterns will fail. In the
general case, there's no way for the client to know what rules the
server will use to expand the filename that is passed. Throw in quoting
conventions and it's even more of a mess. For this reason, our patch
includes a flag (-T) to disable the client-side checks.


More information about the openssh-unix-dev mailing list