Is sshd supposed to interpret "{a,b}" brace expansions?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

the proposed fix for CVE-2019-6111 [1] adds file name validation to scp
to prevent the server from sending files that the client actually did
not request. Now, a consequence of that patch is that commands which
contain server-side brace expansions such as

    $ scp remote:'/etc/{passwd,group}' .
    error: unexpected filename: passwd

no longer work. Shell globs such as [abc], ?, *, and combinations
thereof still work fine, but {a,b} does not.

Is that a shortcoming of the patch? Or is it intended behavior?

I looked through various man pages, but I could not find any definite
statement about whether server-side brace expansion are supposed to work
on or not. Could someone please enlighten me?

Best regards,
Peter


[1] https://sintonen.fi/advisories/scp-name-validator.patch

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux