Hello, from what I understand, the brace expansion is not expanded in the remote scp nor sshd, but in the remote shell (the remote command is run inside of bash -c "command"). The debug line looks like this: Executing: program /usr/bin/ssh host rhel7.virt, user (unspecified), command scp -v -f /etc/{passwd,group} But what is actually executed is bash -c "scp -v -f /etc/{passwd,group}" expanding to in the remote shell (in the above example bash) to scp -v -f /etc/passwd /etc/group Therefore for this patch to work the same way will need also the GLOB_BRACE flag to the glob(). Regards, Jakub On Wed, 2019-01-30 at 12:34 +0100, Peter Simons wrote: > Hi, > > the proposed fix for CVE-2019-6111 [1] adds file name validation to > scp > to prevent the server from sending files that the client actually did > not request. Now, a consequence of that patch is that commands which > contain server-side brace expansions such as > > $ scp remote:'/etc/{passwd,group}' . > error: unexpected filename: passwd > > no longer work. Shell globs such as [abc], ?, *, and combinations > thereof still work fine, but {a,b} does not. > > Is that a shortcoming of the patch? Or is it intended behavior? > > I looked through various man pages, but I could not find any definite > statement about whether server-side brace expansion are supposed to > work > on or not. Could someone please enlighten me? > > Best regards, > Peter > > > [1] https://sintonen.fi/advisories/scp-name-validator.patch > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev