Re: Is sshd supposed to interpret "{a,b}" brace expansions?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,
from what I understand, the brace expansion is not expanded in the
remote scp nor sshd, but in the remote shell (the remote command is run
inside of bash -c "command"). The debug line looks like this:

  Executing: program /usr/bin/ssh host rhel7.virt, user (unspecified),
command scp -v -f /etc/{passwd,group}

But what is actually executed is

  bash -c "scp -v -f /etc/{passwd,group}"

expanding to in the remote shell (in the above example bash) to

  scp -v -f /etc/passwd /etc/group


Therefore for this patch to work the same way will need also the
GLOB_BRACE flag to the glob().

Regards,
Jakub


On Wed, 2019-01-30 at 12:34 +0100, Peter Simons wrote:
> Hi,
> 
> the proposed fix for CVE-2019-6111 [1] adds file name validation to
> scp
> to prevent the server from sending files that the client actually did
> not request. Now, a consequence of that patch is that commands which
> contain server-side brace expansions such as
> 
>     $ scp remote:'/etc/{passwd,group}' .
>     error: unexpected filename: passwd
> 
> no longer work. Shell globs such as [abc], ?, *, and combinations
> thereof still work fine, but {a,b} does not.
> 
> Is that a shortcoming of the patch? Or is it intended behavior?
> 
> I looked through various man pages, but I could not find any definite
> statement about whether server-side brace expansion are supposed to
> work
> on or not. Could someone please enlighten me?
> 
> Best regards,
> Peter
> 
> 
> [1] https://sintonen.fi/advisories/scp-name-validator.patch
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux