Re: Is sshd supposed to interpret "{a,b}" brace expansions?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 30 Jan 2019, Peter Simons wrote:

> Hi,
> 
> the proposed fix for CVE-2019-6111 [1] adds file name validation to scp
> to prevent the server from sending files that the client actually did
> not request.

That's _a_ proposed fix, but not the one we used.

Ours is:

https://anongit.mindrot.org/openssh.git/patch/?id=391ffc4b9

> Now, a consequence of that patch is that commands which
> contain server-side brace expansions such as
> 
>     $ scp remote:'/etc/{passwd,group}' .
>     error: unexpected filename: passwd
> 
> no longer work. Shell globs such as [abc], ?, *, and combinations
> thereof still work fine, but {a,b} does not.
> 
> Is that a shortcoming of the patch? Or is it intended behavior?

It's basically an inevitability that some patterns will fail. In the
general case, there's no way for the client to know what rules the
server will use to expand the filename that is passed. Throw in quoting
conventions and it's even more of a mess. For this reason, our patch
includes a flag (-T) to disable the client-side checks.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux