upstream: check in scp client that filenames sent during

remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda CVE-2019-6111 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc Last-Update: 2019-02-08 Patch-Name: check-filenames-in-scp-client.patch
author: djm@openbsd.org <djm@openbsd.org> 2019-01-26 22:41:28 +0000
committer: Colin Watson <cjwatson@debian.org> 2019-02-08 16:39:38 +0000
commit: 125924e47db3713a85a70e0f8d6c23818d2ea054 (patch)
tree: c8427bede4b2f4577f27250dbd84c8f8c50928de /scp.1
parent: 2a8f710447442e9a03e71c022859112ec2d77d17 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/scp.1 b/scp.1
index 0e5cc1b2d..397e77091 100644
--- a/scp.1
+++ b/scp.1
@@ -18,7 +18,7 @@
 .Nd secure copy (remote file copy program)
 .Sh SYNOPSIS
 .Nm scp
-.Op Fl 346BCpqrv
+.Op Fl 346BCpqrTv
 .Op Fl c Ar cipher
 .Op Fl F Ar ssh_config
 .Op Fl i Ar identity_file
@@ -208,6 +208,16 @@ to use for the encrypted connection.
 The program must understand
 .Xr ssh 1
 options.
+.It Fl T
+Disable strict filename checking.
+By default when copying files from a remote host to a local directory
+.Nm
+checks that the received filenames match those requested on the command-line
+to prevent the remote end from sending unexpected or unwanted files.
+Because of differences in how various operating systems and shells interpret
+filename wildcards, these checks may cause wanted files to be rejected.
+This option disables these checks at the expense of fully trusting that
+the server will not send unexpected filenames.
 .It Fl v
 Verbose mode.
 Causes
author	djm@openbsd.org <djm@openbsd.org>	2019-01-26 22:41:28 +0000
committer	Colin Watson <cjwatson@debian.org>	2019-02-08 16:39:38 +0000
commit	125924e47db3713a85a70e0f8d6c23818d2ea054 (patch)
tree	c8427bede4b2f4577f27250dbd84c8f8c50928de /scp.1
parent	2a8f710447442e9a03e71c022859112ec2d77d17 (diff)

diff --git a/scp.1 b/scp.1 index 0e5cc1b2d..397e77091 100644 --- a/scp.1 +++ b/scp.1
@@ -18,7 +18,7 @@
18	.Nd secure copy (remote file copy program)	18	.Nd secure copy (remote file copy program)
19	.Sh SYNOPSIS	19	.Sh SYNOPSIS
20	.Nm scp	20	.Nm scp
21	.Op Fl 346BCpqrv	21	.Op Fl 346BCpqrTv
22	.Op Fl c Ar cipher	22	.Op Fl c Ar cipher
23	.Op Fl F Ar ssh_config	23	.Op Fl F Ar ssh_config
24	.Op Fl i Ar identity_file	24	.Op Fl i Ar identity_file
@@ -208,6 +208,16 @@ to use for the encrypted connection.
208	The program must understand	208	The program must understand
209	.Xr ssh 1	209	.Xr ssh 1
210	options.	210	options.
		211	.It Fl T
		212	Disable strict filename checking.
		213	By default when copying files from a remote host to a local directory
		214	.Nm
		215	checks that the received filenames match those requested on the command-line
		216	to prevent the remote end from sending unexpected or unwanted files.
		217	Because of differences in how various operating systems and shells interpret
		218	filename wildcards, these checks may cause wanted files to be rejected.
		219	This option disables these checks at the expense of fully trusting that
		220	the server will not send unexpected filenames.
211	.It Fl v	221	.It Fl v
212	Verbose mode.	222	Verbose mode.
213	Causes	223	Causes