[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SCP a file in my home folder
[Thread Prev] | [Thread Next]
- Subject: Re: SCP a file in my home folder
- From: Jakub Jelen <jjelen@xxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Wed, 17 Jun 2020 11:02:52 +0200
- To: libssh@xxxxxxxxxx
On Wed, 2020-06-17 at 09:22 +0200, Guy Morand wrote: > Hallo libssh developers, > > I would like to copy a file on a remote device using libssh. With > 0.8.7, > it was working great with something like: > > ``` > _scp_handle = ssh_scp_new(_ssh_session, SSH_SCP_WRITE, "~"); > // .... > ssh_scp_push_file(_scp_handle, "my-file.txt", > _update_package.size(), 0666) > ``` > > But with newer version, this result in a file called "~" in my home > folder. The home folder is not in the standard "/home/" directory, > and > don't want to hard code the path. > > > Without being 100% sure, I suspect this problem was introduced when > fixing CVE-2019-14889. Hi, you are right. This change is related to the CVE-2019-14889 [1]. Previously, no escaping was done and using maliciously crafted arguments can cause execution or arbitrary commands on server. Previously, the tilde expansion was happening in the remove shell, which is now prevented. Indeed, it is not ideal as it breaks previously working use cases. > What am I doing wrong? Any suggestion? Would it work for you to use SFTP? It has nicer API and should come with less surprises. [1] https://www.libssh.org/security/advisories/CVE-2019-14889.txt Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc.
Re: SCP a file in my home folder | Guy Morand <guy@xxxxxxxxxxxxx> |
SCP a file in my home folder | Guy Morand <guy@xxxxxxxxxxxxx> |