thr3ads.net - openssh bugs - [Bug 424] scp mishandles files with spaces in names [Nov 2008]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2008-Nov-02 21:04 UTC

[Bug 424] scp mishandles files with spaces in names

https://bugzilla.mindrot.org/show_bug.cgi?id=424


Anders Kaseorg <anders at kaseorg.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |anders at kaseorg.com




--- Comment #4 from Anders Kaseorg <anders at kaseorg.com>  2008-11-03
08:04:05 ---
Can someone explain why this is a protocol problem?  If there?s a
client-side workaround, why isn?t the filename escaped in the scp
client?

This is a potentially nasty security problem for a trusted script that
scps files from a remote machine, because a malicious filename
containing `` could cause arbitrary code to be executed remotely.

A similar problem exists with the ssh client:

$ touch "123 456" 789; ls
123 456
789
$ ssh host touch "123 456" 789; ssh host ls
123
456
789

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

openssh bugs - Nov 2008 - [Bug 424] scp mishandles files with spaces in names

[Bug 424] scp mishandles files with spaces in names