Jakub Jelen writes: > from what I understand, the brace expansion is not expanded in the > remote scp nor sshd, but in the remote shell (the remote command is > run inside of bash -c "command"). yes, you are right of course. Thank you for pointing that out. Damien Miller writes: >> the proposed fix for CVE-2019-6111 [1] adds file name validation to >> scp [...] > > That's _a_ proposed fix, but not the one we used. > > Ours is: https://anongit.mindrot.org/openssh.git/patch/?id=391ffc4b9 I see. Thank you very much for the pointer. Best regards Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev