Is sshd supposed to interpret "{a,b}" brace expansions?
Peter Simons
simons at nospf.cryp.to
Thu Jan 31 19:27:35 AEDT 2019
Jakub Jelen writes:
> from what I understand, the brace expansion is not expanded in the
> remote scp nor sshd, but in the remote shell (the remote command is
> run inside of bash -c "command").
yes, you are right of course. Thank you for pointing that out.
Damien Miller writes:
>> the proposed fix for CVE-2019-6111 [1] adds file name validation to
>> scp [...]
>
> That's _a_ proposed fix, but not the one we used.
>
> Ours is: https://anongit.mindrot.org/openssh.git/patch/?id=391ffc4b9
I see. Thank you very much for the pointer.
Best regards
Peter
More information about the openssh-unix-dev
mailing list