On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553 - MITLL wrote: > Why can the local and remote paths be sanitized? Because remote path is *expected* to be expanded by remote shell before executing remote scp. If you sanitize it in any way, you will break existing use cases. > Regards, > Uri > > > On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn@xxxxxxxxx> wrote: > > > > I wanted to bring this up again due to: > > https://github.com/cpandya2909/CVE-2020-15778/. This showcases a > > clear > > issue with scp which it sounds like cannot be fixed without > > breaking scp. > > This seems like it would lend some impetus to doing _something_, > > even if it > > breaks scp or necessitates using something new. > > > > Cheers, > > > > Ethan > > > > > On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser < > > > t.glaser@xxxxxxxxx> wrote: > > > > > > > On Wed, 15 Jul 2020, Red Cricket wrote: > > > > > > > > I have had this in my .bashrc for years: > > > > > > > > alias scp='rsync -avzP' > > > > > > Similar, though I named it rcp because nobody has the real rcp > > > installed > > > any more, but sometimes I need scp to connect to systems that > > > lack rsync. > > > > > > > > > https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD > > > > > > > maybe rsync is a better replacement for scp than sftp would be? > > > > > > It could be, were it not under a restrictive licence… > > > > > > > > > This doesn’t preclude people from making SSH’s builtin transfers > > > better, though. > > > > > > bye, > > > //mirabilos > > > -- > > > «MyISAM tables -will- get corrupted eventually. This is a fact of > > > life. » > > > “mysql is about as much database as ms access” – “MSSQL at least > > > descends > > > from a database” “it's a rebranded SyBase” “MySQL however was > > > born from a > > > flatfile and went downhill from there” – “at least jetDB doesn’t > > > claim to > > > be a database” (#nosec) ‣‣‣ Please let MySQL and MariaDB > > > finally die! > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev@xxxxxxxxxxx > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev@xxxxxxxxxxx > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
