Deprecation of scp protocol and improving sftp client
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Mon Aug 3 23:47:52 AEST 2020
I conjecture that only few of the existing use cases rely on remote expansion.
In any case (no pun intended), IMHO it would be better to break a few of the current use cases but leave the majority functional - than kill scp for all.
Regards,
Uri
> On Aug 3, 2020, at 02:50, Jakub Jelen <jjelen at redhat.com> wrote:
>
> On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553 - MITLL
> wrote:
>> Why can the local and remote paths be sanitized?
>
> Because remote path is *expected* to be expanded by remote shell before
> executing remote scp. If you sanitize it in any way, you will break
> existing use cases.
>
>> Regards,
>> Uri
>>
>>>> On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn at gmail.com> wrote:
>>>
>>> I wanted to bring this up again due to:
>>> https://github.com/cpandya2909/CVE-2020-15778/. This showcases a
>>> clear
>>> issue with scp which it sounds like cannot be fixed without
>>> breaking scp.
>>> This seems like it would lend some impetus to doing _something_,
>>> even if it
>>> breaks scp or necessitates using something new.
>>>
>>> Cheers,
>>>
>>> Ethan
>>>
>>>> On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser <
>>>> t.glaser at tarent.de> wrote:
>>>>
>>>>> On Wed, 15 Jul 2020, Red Cricket wrote:
>>>>>
>>>>> I have had this in my .bashrc for years:
>>>>>
>>>>> alias scp='rsync -avzP'
>>>>
>>>> Similar, though I named it rcp because nobody has the real rcp
>>>> installed
>>>> any more, but sometimes I need scp to connect to systems that
>>>> lack rsync.
>>>>
>>>>
>>>> https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD
>>>>
>>>>> maybe rsync is a better replacement for scp than sftp would be?
>>>>
>>>> It could be, were it not under a restrictive licence…
>>>>
>>>>
>>>> This doesn’t preclude people from making SSH’s builtin transfers
>>>> better, though.
>>>>
>>>> bye,
>>>> //mirabilos
>>>> --
>>>> «MyISAM tables -will- get corrupted eventually. This is a fact of
>>>> life. »
>>>> “mysql is about as much database as ms access” – “MSSQL at least
>>>> descends
>>>> from a database” “it's a rebranded SyBase” “MySQL however was
>>>> born from a
>>>> flatfile and went downhill from there” – “at least jetDB doesn’t
>>>> claim to
>>>> be a database” (#nosec) ‣‣‣ Please let MySQL and MariaDB
>>>> finally die!
>>>> _______________________________________________
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev at mindrot.org
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> --
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5874 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200803/87a177a3/attachment.p7s>
More information about the openssh-unix-dev
mailing list