scp, sftp, and special characters in filenames
David Newall
openssh at davidnewall.com
Mon Nov 4 13:54:43 AEDT 2019
On 4/11/19 12:37 pm, Damien Miller wrote:
> scp isn't being exploited, you're just running commands in your own
> remote shell and all interpretation happens there - scp never sees
> those characters.
I already understood what was going on. The issue is, scp promises to
"cop[y] files between hosts on a network [using] ssh for data transfer."
It does not promise to also execute arbitrary commands. When a file
copy program is used to execute arbitrary commands, that seems to almost
be the definition of an exploit.
The poor quality of command parsing (I mean, clumsy and awkward need to
quote and escape characters, even though the shell has already given scp
individual arguments) suggests why scp can be exploited in that manner.
Although scp is speaking to sshd, obviously somewhere along the line one
of the components is translating that into a shell command line and thus
losing the identity of arguments. That's just awful, and I should have
thought it was not at all necessary. Am I missing something?
More information about the openssh-unix-dev
mailing list