Bug#327019: ssh: scp allows remote execution of shell commands when semicolon is used in filename

[Colin Watson <cjwatson@debian.org>]

On Mon, Sep 12, 2005 at 10:17:39AM +0700, Alexey Feldgendler wrote:
> Colin Watson wrote:
> >scp's protocol has always been this way (it is essentially just 'ssh
> >remotehost scp -f/-t ...'), and there isn't much that can be done about
> >it at this stage without breaking compatibility with other systems. Yes,
> >it's broken and annoying, but it doesn't open any new security holes
> >because it's just using ssh's standard facilities for executing remote
> >commands; the scp server, such as it is (just scp with some extra
> >options) does not execute those commands itself.
> 
> Why can't scp just escape all suspicious characters with backslashes  
> before giving them to the shell? Will that break anything?

Yes, it will break the scp protocol because the server end isn't
expecting that, and you can't change the server end because then you'd
become incompatible with old clients. This cannot be fixed in scp
because there is no provision for revising the protocol. Use sftp.

> Aside from security issues, this bug has also a practical implication: scp  
> can't be easily used to download files whose names contain spaces or other  
> nasty characters. (That was how I found the bug.)

That's an old and fairly well-known bug, yes, but cannot be fixed in scp
without breaking the protocol. Use sftp.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]