Re: Deprecation of scp protocol and improving sftp client

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Jul 31, 2020 at 04:29:13PM -0700, Ethan Rahn <ethan.rahn@xxxxxxxxx> wrote:

> I wanted to bring this up again due to:
> https://github.com/cpandya2909/CVE-2020-15778/. This showcases a clear
> issue with scp which it sounds like cannot be fixed without breaking scp.
> This seems like it would lend some impetus to doing _something_, even if it
> breaks scp or necessitates using something new.
> 
> Cheers,
> Ethan

Surely, executing the scp -t command without using the
shell would fix this without breaking any legitimate
usage. And it would be much easier and more effective
than sanitising the path. Paths can contain almost any
byte.

Mind you, it wouldn't stop the legitimate user from
just logging in and performing the same actions manually.
But it would help in cases where users can scp but not ssh
to a host.

cheers,
raf

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux