Hi, the proposed fix for CVE-2019-6111 [1] adds file name validation to scp to prevent the server from sending files that the client actually did not request. Now, a consequence of that patch is that commands which contain server-side brace expansions such as $ scp remote:'/etc/{passwd,group}' . error: unexpected filename: passwd no longer work. Shell globs such as [abc], ?, *, and combinations thereof still work fine, but {a,b} does not. Is that a shortcoming of the patch? Or is it intended behavior? I looked through various man pages, but I could not find any definite statement about whether server-side brace expansion are supposed to work on or not. Could someone please enlighten me? Best regards, Peter [1] https://sintonen.fi/advisories/scp-name-validator.patch _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev