I conjecture that only few of the existing use cases rely on remote expansion. In any case (no pun intended), IMHO it would be better to break a few of the current use cases but leave the majority functional - than kill scp for all. Regards, Uri > On Aug 3, 2020, at 02:50, Jakub Jelen <jjelen@xxxxxxxxxx> wrote: > > On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553 - MITLL > wrote: >> Why can the local and remote paths be sanitized? > > Because remote path is *expected* to be expanded by remote shell before > executing remote scp. If you sanitize it in any way, you will break > existing use cases. > >> Regards, >> Uri >> >>>> On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn@xxxxxxxxx> wrote: >>> >>> I wanted to bring this up again due to: >>> https://github.com/cpandya2909/CVE-2020-15778/. This showcases a >>> clear >>> issue with scp which it sounds like cannot be fixed without >>> breaking scp. >>> This seems like it would lend some impetus to doing _something_, >>> even if it >>> breaks scp or necessitates using something new. >>> >>> Cheers, >>> >>> Ethan >>> >>>> On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser < >>>> t.glaser@xxxxxxxxx> wrote: >>>> >>>>> On Wed, 15 Jul 2020, Red Cricket wrote: >>>>> >>>>> I have had this in my .bashrc for years: >>>>> >>>>> alias scp='rsync -avzP' >>>> >>>> Similar, though I named it rcp because nobody has the real rcp >>>> installed >>>> any more, but sometimes I need scp to connect to systems that >>>> lack rsync. >>>> >>>> >>>> https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD >>>> >>>>> maybe rsync is a better replacement for scp than sftp would be? >>>> >>>> It could be, were it not under a restrictive licence… >>>> >>>> >>>> This doesn’t preclude people from making SSH’s builtin transfers >>>> better, though. >>>> >>>> bye, >>>> //mirabilos >>>> -- >>>> «MyISAM tables -will- get corrupted eventually. This is a fact of >>>> life. » >>>> “mysql is about as much database as ms access” – “MSSQL at least >>>> descends >>>> from a database” “it's a rebranded SyBase” “MySQL however was >>>> born from a >>>> flatfile and went downhill from there” – “at least jetDB doesn’t >>>> claim to >>>> be a database” (#nosec) ‣‣‣ Please let MySQL and MariaDB >>>> finally die! >>>> _______________________________________________ >>>> openssh-unix-dev mailing list >>>> openssh-unix-dev@xxxxxxxxxxx >>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>>> >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev@xxxxxxxxxxx >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- > Jakub Jelen > Senior Software Engineer > Security Technologies > Red Hat, Inc. >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
