Blumenthal, Uri - 0553 - MITLL
2020-Aug-01 00:17 UTC
Deprecation of scp protocol and improving sftp client
Why can the local and remote paths be sanitized? Regards, Uri> On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn at gmail.com> wrote: > > ?I wanted to bring this up again due to: > https://github.com/cpandya2909/CVE-2020-15778/. This showcases a clear > issue with scp which it sounds like cannot be fixed without breaking scp. > This seems like it would lend some impetus to doing _something_, even if it > breaks scp or necessitates using something new. > > Cheers, > > Ethan > >> On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser <t.glaser at tarent.de> wrote: >> >>> On Wed, 15 Jul 2020, Red Cricket wrote: >>> >>> I have had this in my .bashrc for years: >>> >>> alias scp='rsync -avzP' >> >> Similar, though I named it rcp because nobody has the real rcp installed >> any more, but sometimes I need scp to connect to systems that lack rsync. >> >> >> https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD >> >>> maybe rsync is a better replacement for scp than sftp would be? >> >> It could be, were it not under a restrictive licence? >> >> >> This doesn?t preclude people from making SSH?s builtin transfers >> better, though. >> >> bye, >> //mirabilos >> -- >> ?MyISAM tables -will- get corrupted eventually. This is a fact of life. ? >> ?mysql is about as much database as ms access? ? ?MSSQL at least descends >> from a database? ?it's a rebranded SyBase? ?MySQL however was born from a >> flatfile and went downhill from there? ? ?at least jetDB doesn?t claim to >> be a database? (#nosec) ??? Please let MySQL and MariaDB finally die! >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5874 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200801/909fe3e7/attachment.p7s>
On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553 - MITLL wrote:> Why can the local and remote paths be sanitized?Because remote path is *expected* to be expanded by remote shell before executing remote scp. If you sanitize it in any way, you will break existing use cases.> Regards, > Uri > > > On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn at gmail.com> wrote: > > > > ?I wanted to bring this up again due to: > > https://github.com/cpandya2909/CVE-2020-15778/. This showcases a > > clear > > issue with scp which it sounds like cannot be fixed without > > breaking scp. > > This seems like it would lend some impetus to doing _something_, > > even if it > > breaks scp or necessitates using something new. > > > > Cheers, > > > > Ethan > > > > > On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser < > > > t.glaser at tarent.de> wrote: > > > > > > > On Wed, 15 Jul 2020, Red Cricket wrote: > > > > > > > > I have had this in my .bashrc for years: > > > > > > > > alias scp='rsync -avzP' > > > > > > Similar, though I named it rcp because nobody has the real rcp > > > installed > > > any more, but sometimes I need scp to connect to systems that > > > lack rsync. > > > > > > > > > https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD > > > > > > > maybe rsync is a better replacement for scp than sftp would be? > > > > > > It could be, were it not under a restrictive licence? > > > > > > > > > This doesn?t preclude people from making SSH?s builtin transfers > > > better, though. > > > > > > bye, > > > //mirabilos > > > -- > > > ?MyISAM tables -will- get corrupted eventually. This is a fact of > > > life. ? > > > ?mysql is about as much database as ms access? ? ?MSSQL at least > > > descends > > > from a database? ?it's a rebranded SyBase? ?MySQL however was > > > born from a > > > flatfile and went downhill from there? ? ?at least jetDB doesn?t > > > claim to > > > be a database? (#nosec) ??? Please let MySQL and MariaDB > > > finally die! > > > _______________________________________________ > > > openssh-unix-dev mailing list > > > openssh-unix-dev at mindrot.org > > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > _______________________________________________ > > openssh-unix-dev mailing list > > openssh-unix-dev at mindrot.org > > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
Blumenthal, Uri - 0553 - MITLL
2020-Aug-03 13:47 UTC
Deprecation of scp protocol and improving sftp client
I conjecture that only few of the existing use cases rely on remote expansion. In any case (no pun intended), IMHO it would be better to break a few of the current use cases but leave the majority functional - than kill scp for all. Regards, Uri> On Aug 3, 2020, at 02:50, Jakub Jelen <jjelen at redhat.com> wrote: > > ?On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553 - MITLL > wrote: >> Why can the local and remote paths be sanitized? > > Because remote path is *expected* to be expanded by remote shell before > executing remote scp. If you sanitize it in any way, you will break > existing use cases. > >> Regards, >> Uri >> >>>> On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn at gmail.com> wrote: >>> >>> ?I wanted to bring this up again due to: >>> https://github.com/cpandya2909/CVE-2020-15778/. This showcases a >>> clear >>> issue with scp which it sounds like cannot be fixed without >>> breaking scp. >>> This seems like it would lend some impetus to doing _something_, >>> even if it >>> breaks scp or necessitates using something new. >>> >>> Cheers, >>> >>> Ethan >>> >>>> On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser < >>>> t.glaser at tarent.de> wrote: >>>> >>>>> On Wed, 15 Jul 2020, Red Cricket wrote: >>>>> >>>>> I have had this in my .bashrc for years: >>>>> >>>>> alias scp='rsync -avzP' >>>> >>>> Similar, though I named it rcp because nobody has the real rcp >>>> installed >>>> any more, but sometimes I need scp to connect to systems that >>>> lack rsync. >>>> >>>> >>>> https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD >>>> >>>>> maybe rsync is a better replacement for scp than sftp would be? >>>> >>>> It could be, were it not under a restrictive licence? >>>> >>>> >>>> This doesn?t preclude people from making SSH?s builtin transfers >>>> better, though. >>>> >>>> bye, >>>> //mirabilos >>>> -- >>>> ?MyISAM tables -will- get corrupted eventually. This is a fact of >>>> life. ? >>>> ?mysql is about as much database as ms access? ? ?MSSQL at least >>>> descends >>>> from a database? ?it's a rebranded SyBase? ?MySQL however was >>>> born from a >>>> flatfile and went downhill from there? ? ?at least jetDB doesn?t >>>> claim to >>>> be a database? (#nosec) ??? Please let MySQL and MariaDB >>>> finally die! >>>> _______________________________________________ >>>> openssh-unix-dev mailing list >>>> openssh-unix-dev at mindrot.org >>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>>> >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev at mindrot.org >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > -- > Jakub Jelen > Senior Software Engineer > Security Technologies > Red Hat, Inc. >-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5874 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200803/87a177a3/attachment.p7s>