[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SCP a file in my home folder
[Thread Prev] | [Thread Next]
- Subject: Re: SCP a file in my home folder
- From: Guy Morand <guy@xxxxxxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Mon, 22 Jun 2020 14:54:45 +0200
- To: libssh@xxxxxxxxxx, Jakub Jelen <jjelen@xxxxxxxxxx>
Jakub,Thanks for your kind feedback. Indeed, using SFTP seems to work as expected with different libssh versions!
Best regards, Guy Morand On 6/17/20 11:02 AM, Jakub Jelen wrote:
On Wed, 2020-06-17 at 09:22 +0200, Guy Morand wrote:Hallo libssh developers, I would like to copy a file on a remote device using libssh. With 0.8.7, it was working great with something like: ``` _scp_handle = ssh_scp_new(_ssh_session, SSH_SCP_WRITE, "~"); // .... ssh_scp_push_file(_scp_handle, "my-file.txt", _update_package.size(), 0666) ``` But with newer version, this result in a file called "~" in my home folder. The home folder is not in the standard "/home/" directory, and don't want to hard code the path. Without being 100% sure, I suspect this problem was introduced when fixing CVE-2019-14889.Hi, you are right. This change is related to the CVE-2019-14889 [1]. Previously, no escaping was done and using maliciously crafted arguments can cause execution or arbitrary commands on server. Previously, the tilde expansion was happening in the remove shell, which is now prevented. Indeed, it is not ideal as it breaks previously working use cases.What am I doing wrong? Any suggestion?Would it work for you to use SFTP? It has nicer API and should come with less surprises. [1] https://www.libssh.org/security/advisories/CVE-2019-14889.txt Regards,
SCP a file in my home folder | Guy Morand <guy@xxxxxxxxxxxxx> |
Re: SCP a file in my home folder | Jakub Jelen <jjelen@xxxxxxxxxx> |