scp, sftp, and special characters in filenames

David Newall openssh at
Mon Nov 4 13:54:43 AEDT 2019

On 4/11/19 12:37 pm, Damien Miller wrote:
> scp isn't being exploited, you're just running commands in your own
> remote shell and all interpretation happens there - scp never sees
> those characters.

I already understood what was going on.  The issue is, scp promises to 
"cop[y] files between hosts on a network [using] ssh for data transfer." 
It does not promise to also execute arbitrary commands.  When a file 
copy program is used to execute arbitrary commands, that seems to almost 
be the definition of an exploit.

The poor quality of command parsing (I mean, clumsy and awkward need to 
quote and escape characters, even though the shell has already given scp 
individual arguments) suggests why scp can be exploited in that manner.  
Although scp is speaking to sshd, obviously somewhere along the line one 
of the components is translating that into a shell command line and thus 
losing the identity of arguments.  That's just awful, and I should have 
thought it was not at all necessary.  Am I missing something?

More information about the openssh-unix-dev mailing list