I've not used sftp at all.
I've only used scp when I had control at both ends.
On Wed, 4 Nov 2020, George N. White III wrote:
This is due to a fundamental insecurity in the old-style SCP protocol: the
client sends the wildcard string (*.c) to the server, and the server sends
back a sequence of file names that match the wildcard pattern. However,
there is nothing to stop the server sending back a different pattern and
writing over one of your other files: if you request *.c, the server might
send back the file name AUTOEXEC.BAT and install a virus for you. Since the
wildcard matching rules are decided by the server, the client cannot
reliably verify that the filenames sent back match the pattern.
In this particular case, I'd think the client
could tell that a .BAT file was not a .c file.
There is only so much any protocol can do about a malicious server.
Even if the client explicitly specifies a server file,
there is no guarantee that the server will send a correct copy.
Note: no quoted boilerplate. Please emulate.
--
Michael hennebry@xxxxxxxxxxxxxxxxxxxxx
"Sorry but your password must contain an uppercase letter, a number,
a haiku, a gang sign, a heiroglyph, and the blood of a virgin."
-- someeecards
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
