[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SCP a file in my home folder


Jakub,

Thanks for your kind feedback. Indeed, using SFTP seems to work as expected with different libssh versions!

Best regards,

Guy Morand

On 6/17/20 11:02 AM, Jakub Jelen wrote:
On Wed, 2020-06-17 at 09:22 +0200, Guy Morand wrote:
Hallo libssh developers,

I would like to copy a file on a remote device using libssh. With
0.8.7,
it was working great with something like:

```
_scp_handle = ssh_scp_new(_ssh_session, SSH_SCP_WRITE, "~");
// ....
ssh_scp_push_file(_scp_handle, "my-file.txt",
                    _update_package.size(), 0666)
```

But with newer version, this result in a file called "~" in my home
folder. The home folder is not in the standard "/home/" directory,
and
don't want to hard code the path.


Without being 100% sure, I suspect this problem was introduced when
fixing CVE-2019-14889.

Hi,
you are right. This change is related to the CVE-2019-14889 [1].
Previously, no escaping was done and using maliciously crafted
arguments can cause execution or arbitrary commands on server.

Previously, the tilde expansion was happening in the remove shell,
which is now prevented. Indeed, it is not ideal as it breaks previously
working use cases.

What am I doing wrong? Any suggestion?

Would it work for you to use SFTP? It has nicer API and should come
with less surprises.

[1] https://www.libssh.org/security/advisories/CVE-2019-14889.txt

Regards,


References:
SCP a file in my home folderGuy Morand <guy@xxxxxxxxxxxxx>
Re: SCP a file in my home folderJakub Jelen <jjelen@xxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org