scp, sftp, and special characters in filenames
Damien Miller
djm at mindrot.org
Mon Nov 4 13:07:12 AEDT 2019
On Mon, 4 Nov 2019, David Newall wrote:
> On 4/11/19 3:29 am, Demi M. Obenour wrote:
> > I have not been able to get scp(1) to download a file with a newline
> > in its name. I know that scp(1) requires that remote filenames be
> > escaped for the shell, but that leads to protocol errors.
>
> I see something much worse:
>
> $ sudo sh
> # echo "#!/bin/sh
> touch /tmp/b-ran" > /tmp/b
> # chmod a+x /tmp/b
> # exit
> $ touch a 'a
> b'
> $ rm -f abc /tmp/b-ran
> $ scp localhost:'a
> b' abc
> a 100% 0 0.0KB/s
> 00:00
> $ ls /tmp/b-ran
> /tmp/b-ran
>
> Scp can be exploited to run commands, which I think is a problem.
scp isn't being exploited, you're just running commands in your own
remote shell and all interpretation happens there - scp never sees
those characters.
This "feature" dates back to rcp from 1981 (scp is rcp in a nicer pair
of shoes) and isn't fixable without breaking scp's "protocol".
-d
More information about the openssh-unix-dev
mailing list