Is sshd supposed to interpret "{a,b}" brace expansions?
Jakub Jelen
jjelen at redhat.com
Thu Jan 31 00:46:34 AEDT 2019
Hello,
from what I understand, the brace expansion is not expanded in the
remote scp nor sshd, but in the remote shell (the remote command is run
inside of bash -c "command"). The debug line looks like this:
Executing: program /usr/bin/ssh host rhel7.virt, user (unspecified),
command scp -v -f /etc/{passwd,group}
But what is actually executed is
bash -c "scp -v -f /etc/{passwd,group}"
expanding to in the remote shell (in the above example bash) to
scp -v -f /etc/passwd /etc/group
Therefore for this patch to work the same way will need also the
GLOB_BRACE flag to the glob().
Regards,
Jakub
On Wed, 2019-01-30 at 12:34 +0100, Peter Simons wrote:
> Hi,
>
> the proposed fix for CVE-2019-6111 [1] adds file name validation to
> scp
> to prevent the server from sending files that the client actually did
> not request. Now, a consequence of that patch is that commands which
> contain server-side brace expansions such as
>
> $ scp remote:'/etc/{passwd,group}' .
> error: unexpected filename: passwd
>
> no longer work. Shell globs such as [abc], ?, *, and combinations
> thereof still work fine, but {a,b} does not.
>
> Is that a shortcoming of the patch? Or is it intended behavior?
>
> I looked through various man pages, but I could not find any definite
> statement about whether server-side brace expansion are supposed to
> work
> on or not. Could someone please enlighten me?
>
> Best regards,
> Peter
>
>
> [1] https://sintonen.fi/advisories/scp-name-validator.patch
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
More information about the openssh-unix-dev
mailing list