openssh bugs - Oct 2025 - [Bug 3871] New: scp traversing outside of destination dir when copying .. or ../..

https://bugzilla.mindrot.org/show_bug.cgi?id=3871

            Bug ID: 3871
           Summary: scp traversing outside of destination dir when copying
                    .. or ../..
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: scp
          Assignee: unassigned-bugs at mindrot.org
          Reporter: srot.karel at gmail.com

When copying directories like .. or ../.. scp will not store copied
files under the destination directory but above it.

I am not sure if this behavior is expected feature or if it is a
regression but it is definitely confusing.

This seems to be due to transition to sftp, it doesn't happen when -O
option is used.

Tested as well with the current upstream openssh portable, commit
https://github.com/openssh/openssh-portable/commit/b9f6a84ea383d811216de38219472214963c10b2

Reproducer:


# prepare and verify test data
$ mkdir -p A/B/C
$ touch A/B/C/boom
$ mkdir ~/DEST
$ cd A/B/C
$ ls ../..
B

# try to copy B to ~/DEST
$ scp -r ../.. karel at localhost:~/DEST
karel at localhost's password:
boom 100% 0 0.0KB/s 00:00

# nothing there though
$ ls ~/DEST/

# B has been stored in ~ instead
$ ls ~
A B DEST
$ find / -name boom 2> /dev/null
/home/karel/A/B/C/boom
/home/karel/B/C/boom

# scp won't be allow to write where it is not permitted though.
# similar scenario with ..
$ cd ~/A/B
$ ls
C
$ scp -r .. karel at localhost:~
karel at localhost's password:
scp: stat remote: No such file or directory
scp: remote setstat "/home": Permission denied
scp: failed to upload directory .. to ~

we can see that scp doesn't resolve .. or ../.. to proper directory
names

With scp -O option the outcome is different:

$ cp -O -r ../.. karel at localhost:~/DEST
scp: error: unexpected filename: ..

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3871

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3901|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3901
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3901&action=edit
fix

I think this should fix it

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3871

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3901|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3871

Dmitry Belyavskiy <dbelyavs at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dbelyavs at redhat.com

--- Comment #2 from Dmitry Belyavskiy <dbelyavs at redhat.com> ---
Great, thanks! A test maybe?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.