On Wed, 30 Jan 2019, Peter Simons wrote: > Hi, > > the proposed fix for CVE-2019-6111 [1] adds file name validation to scp > to prevent the server from sending files that the client actually did > not request. That's _a_ proposed fix, but not the one we used. Ours is: https://anongit.mindrot.org/openssh.git/patch/?id=391ffc4b9 > Now, a consequence of that patch is that commands which > contain server-side brace expansions such as > > $ scp remote:'/etc/{passwd,group}' . > error: unexpected filename: passwd > > no longer work. Shell globs such as [abc], ?, *, and combinations > thereof still work fine, but {a,b} does not. > > Is that a shortcoming of the patch? Or is it intended behavior? It's basically an inevitability that some patterns will fail. In the general case, there's no way for the client to know what rules the server will use to expand the filename that is passed. Throw in quoting conventions and it's even more of a mess. For this reason, our patch includes a flag (-T) to disable the client-side checks. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev