Deprecation of scp protocol and improving sftp client

Jakub Jelen jjelen at redhat.com
Mon Aug 3 16:49:27 AEST 2020 

On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553 - MITLL
wrote:
> Why can the local and remote paths be sanitized?

Because remote path is *expected* to be expanded by remote shell before
executing remote scp. If you sanitize it in any way, you will break
existing use cases.

> Regards,
> Uri
> 
> > On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn at gmail.com> wrote:
> > 
> > I wanted to bring this up again due to:
> > https://github.com/cpandya2909/CVE-2020-15778/. This showcases a
> > clear
> > issue with scp which it sounds like cannot be fixed without
> > breaking scp.
> > This seems like it would lend some impetus to doing _something_,
> > even if it
> > breaks scp or necessitates using something new.
> > 
> > Cheers,
> > 
> > Ethan
> > 
> > > On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser <
> > > t.glaser at tarent.de> wrote:
> > > 
> > > > On Wed, 15 Jul 2020, Red Cricket wrote:
> > > > 
> > > > I have had this in my .bashrc for years:
> > > > 
> > > > alias scp='rsync -avzP'
> > > 
> > > Similar, though I named it rcp because nobody has the real rcp
> > > installed
> > > any more, but sometimes I need scp to connect to systems that
> > > lack rsync.
> > > 
> > > 
> > > https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD
> > > 
> > > > maybe rsync is a better replacement for scp than sftp would be?
> > > 
> > > It could be, were it not under a restrictive licence…
> > > 
> > > 
> > > This doesn’t preclude people from making SSH’s builtin transfers
> > > better, though.
> > > 
> > > bye,
> > > //mirabilos
> > > --
> > > «MyISAM tables -will- get corrupted eventually. This is a fact of
> > > life. »
> > > “mysql is about as much database as ms access” – “MSSQL at least
> > > descends
> > > from a database” “it's a rebranded SyBase” “MySQL however was
> > > born from a
> > > flatfile and went downhill from there” – “at least jetDB doesn’t
> > > claim to
> > > be a database”  (#nosec)    ‣‣‣ Please let MySQL and MariaDB
> > > finally die!
> > > _______________________________________________
> > > openssh-unix-dev mailing list
> > > openssh-unix-dev at mindrot.org
> > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > > 
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list