--===============1226721840==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"

--=-=-=

On Thu 2007-10-11 11:00:41 -0400, Larry Becke wrote:

> I want to add a simple parameter parse that errors out if "../" is
> in the remote path, and adds "./" between the host segment and path
> segment of the remote path.

[...]
> It's a very subtle change, one that won't impact anyone who uses scp
> in it's default manner


Could there be higher-level apps using scp as a transport layer which
generate paths that include '../' in them that don't actually navigate
outside of the top level? Something like:

scp fubar:./data/src/foo/foo-1.3/subsystem/../main.c ./

I can imagine some makefile structures generating paths like that, for
example. Would your patched scp reject such (valid) requests?

What if i have a directory named "stuff..." ? (we've all seen users
with weirder file names, yes?) Would you reject (valid) transfers
referring to that directory?

scp fubar:.data/stuff.../myfile.txt ./

These are rhetorical questions; their point is that path
canonicalization/verification is not necessarily as easy as you're
suggesting it is.

Other people on this list have offered you well-tested, functional
techniques you can use now to acheive the goal you've stated. These
alternate approaches don't modify the functionality of a tool whose
interface is currently stable.

If your goal is effectively jailed scp access, why not try one of
these other techniques? You can always report back if it causes
problems for some reason.

The openssh developers have already stated their reluctance to modify
the behavior of /usr/bin/scp, and there are other (quite good) options
available.

Regards,

--dkg

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQIVAwUBRw5QkszS7ZTSFznpAQKs5w//apbBZ4L+k3+qJFX1y3aDjxt8pojWGwdL
gFuUbhdsowtEoMLO1jaGRF8tmj6uTlkzA8Zegd7EVpxwbG2MC2 u1c+oPdDN87WUS
miSOvFlWStsvEuyRUYqU4E3EuSvXk8J3WJtuY5EPvNox7qO7Nv R25BihElPqVt3L
gdv3GvvJ+SbV7vNELKuGMRnvXVTU5eAFdJWkvwvaHu//RBotBPoHNYnIMhhjmCiw
kvdJsjTvBATiL7DxEunDkxk+raTP5yty20ske98paEiYfGnVyf PsjeOKNMs0fpGN
oaLsers/PgG4TKaeGQd09maqqjsSGNeWMTQNdUCf19B5x4ROUKTjyYNey7 Gsp7UO
ddvMpeX/yv16Ccl8SFwCydXvCkqThoazYAYZjlv4nFhPun5hPzX6dTffs6 cbL2xA
Nb0DQFcc5S3sXBRqplKy2GabCmOaiXrD83DgHOYBe8/0DMkjqhUI/LfNy6j7HVcD
Frj5D7wcsWyp142QDkTK68jRQHeQSMdpAXXQ48us7xC3yWWh0F osfWfcbBcEGAog
4VIPxWD3K1pcSv4B8sJzzCLFiQvk3pLoa9PKdo8CdKaI1g0F1K kYw60YlrfaTt9L
9z8qTAe1RgvhozIh7L9H1e2SYzFtqCJGFpt6PWf2NFCtZzoRjo +b17LtCBJ8I5ZA
3/QVbSZ4Hbk=
=jwrU
-----END PGP SIGNATURE-----
--=-=-=--

--===============1226721840==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

--===============1226721840==--