This is a discussion on RE: scp -t . - possible idea for additional parameter - openssh ; On Thu, 11 Oct 2007, Larry Becke wrote: > > On 2007-10-11 18:01, Larry Becke wrote:>> Can this be done? >Theoretically. See my previous message.I must have missed it. > > Is it so terribly hard to add the feature?>It's ...
On Thu, 11 Oct 2007, Larry Becke wrote:
> On 2007-10-11 18:01, Larry Becke wrote:>> Can this be done? >Theoretically. See my previous message.I must have missed it.
> > Is it so terribly hard to add the feature?>It's not easy. See my previous message, and do a little research on path>canonicalization and past directory traversal vulnerabilities in, e.g.>IIS and Apache, to understand this better.
> To throw an error and exit if "../" is in the remote path parameter?
> To add a "./" between hostname: and /path/to/dir in the remote path parameter?
That is probably insufficient and likely to break some software that
uses scp. You could use realpath(3) and compare the stem, but that has a
downside too: it will break on traverse-only directories.
Just to be clear, I have zero interest in making any feature additions
to scp and I think most of the developers feel the same way. It is a
difficult protocol to extend, and its use of a shell-expanded commandline
to inform it of which files to transfer makes it very brittle. Given its
very widespread use, I think it is best to leave it be and concentrate
efforts on making sftp/sftp-server a compelling substitute.
PS. I don't know what mail client you are using, but it is mangling
the quoting in your replies into an unreadable mess.
openssh-unix-dev mailing list