On Mon, 4 Nov 2019, David Newall wrote: > On 4/11/19 3:29 am, Demi M. Obenour wrote: > > I have not been able to get scp(1) to download a file with a newline > > in its name. I know that scp(1) requires that remote filenames be > > escaped for the shell, but that leads to protocol errors. > > I see something much worse: > > $ sudo sh > # echo "#!/bin/sh > touch /tmp/b-ran" > /tmp/b > # chmod a+x /tmp/b > # exit > $ touch a 'a > b' > $ rm -f abc /tmp/b-ran > $ scp localhost:'a > b' abc > a 100% 0 0.0KB/s > 00:00 > $ ls /tmp/b-ran > /tmp/b-ran > > Scp can be exploited to run commands, which I think is a problem. scp isn't being exploited, you're just running commands in your own remote shell and all interpretation happens there - scp never sees those characters. This "feature" dates back to rcp from 1981 (scp is rcp in a nicer pair of shoes) and isn't fixable without breaking scp's "protocol". -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
