|
|
Log in / Subscribe / Register

OpenSSH 8.0 released

OpenSSH 8.0 released

Posted Apr 18, 2019 22:57 UTC (Thu) by k8to (guest, #15413)
Parent article: OpenSSH 8.0 released

That vulnerability is a bit odd.
In scp, I can do

scp server:/path/to/a/file.txt target.txt

and this should open and write to target.txt. I would be surprised if the server knew about that at all. Though I don't know.

Since that's implemented somehow, you would expect

scp server:/path/to/a/file.txt .

to just be client shorthand for

scp server:/path/to/a/file.txt ./file.txt

It seems seriously weird that it would not.

But there is also functionality like this:

scp server:/path/to/* .

where you just trust the remote server won't send you evil filenames that will destroy your world. And I don't see how you can solve that problem.

So it seems that the specific-file codepaths lazily used the known-file filepaths. Which is unfortunate, but not shocking, since scp -r is commonly enough used.

to post comments

OpenSSH 8.0 released

Posted Apr 19, 2019 1:12 UTC (Fri) by epa (subscriber, #39769) [Link]

When you get back a filename from the server you check that it is a relative path (does not begin /) and is canonical (does not contain ..). And you check that it is a possible expansion of the glob pattern you gave (which is effectively the same as doing a regular expression match, just with different syntax). That should be enough.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds