From 125924e47db3713a85a70e0f8d6c23818d2ea054 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 26 Jan 2019 22:41:28 +0000 Subject: upstream: check in scp client that filenames sent during remote->local directory copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@ OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda CVE-2019-6111 Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc Last-Update: 2019-02-08 Patch-Name: check-filenames-in-scp-client.patch --- scp.1 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'scp.1') diff --git a/scp.1 b/scp.1 index 0e5cc1b2d..397e77091 100644 --- a/scp.1 +++ b/scp.1 @@ -18,7 +18,7 @@ .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp -.Op Fl 346BCpqrv +.Op Fl 346BCpqrTv .Op Fl c Ar cipher .Op Fl F Ar ssh_config .Op Fl i Ar identity_file @@ -208,6 +208,16 @@ to use for the encrypted connection. The program must understand .Xr ssh 1 options. +.It Fl T +Disable strict filename checking. +By default when copying files from a remote host to a local directory +.Nm +checks that the received filenames match those requested on the command-line +to prevent the remote end from sending unexpected or unwanted files. +Because of differences in how various operating systems and shells interpret +filename wildcards, these checks may cause wanted files to be rejected. +This option disables these checks at the expense of fully trusting that +the server will not send unexpected filenames. .It Fl v Verbose mode. Causes -- cgit v1.2.3