On Thu, 11 Oct 2007, Larry Becke wrote:

>
> On 2007-10-11 18:01, Larry Becke wrote:>> Can this be done? >Theoretically. See my previous message.I must have missed it.
> > Is it so terribly hard to add the feature?>It's not easy. See my previous message, and do a little research on path>canonicalization and past directory traversal vulnerabilities in, e.g.>IIS and Apache, to understand this better.

>
> To throw an error and exit if "../" is in the remote path parameter?
> To add a "./" between hostname: and /path/to/dir in the remote path parameter?


That is probably insufficient and likely to break some software that
uses scp. You could use realpath(3) and compare the stem, but that has a
downside too: it will break on traverse-only directories.

Just to be clear, I have zero interest in making any feature additions
to scp and I think most of the developers feel the same way. It is a
difficult protocol to extend, and its use of a shell-expanded commandline
to inform it of which files to transfer makes it very brittle. Given its
very widespread use, I think it is best to leave it be and concentrate
efforts on making sftp/sftp-server a compelling substitute.

-d

PS. I don't know what mail client you are using, but it is mangling
the quoting in your replies into an unreadable mess.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev