Page MenuHomePhabricator

SCP pull wildcard returns No such file or directory
Closed, WontfixPublic

Description

After Update from libssh 0.8.6 to libssh 0.9.4 wildcards in remote path don't work anymore.

stil working:
m_scp = ssh_scp_new(m_ssh_session, SSH_SCP_READ, "path/to/file.txt");
ssh_scp_init(m_scp);
ssh_scp_pull_request(m_scp);

Working in libssh 0.8.6 but not in 0.9.4:
m_scp = ssh_scp_new(m_ssh_session, SSH_SCP_READ, "path/to/*.txt");
ssh_scp_init(m_scp);
ssh_scp_pull_request(m_scp);

Error: No such file or directory

Was this function changed/removed?
Has something else changed, which breaks this feature?

Event Timeline

tbuerli created this task.Wed, Jun 10, 2:58 PM
Jakuje added a subscriber: Jakuje.Wed, Jun 10, 7:40 PM

Sounds like a mitigation to some of the security issues fixed in 0.9.3. See the announcement message for more details:

https://www.libssh.org/2019/12/10/libssh-0-9-3-and-libssh-0-8-8-security-release/

Probably since commit 3830c7ae which starts quoting paths, preventing them to be expanded on the remote side.

Sounds like a bug, but you should try to use sftp anyway as scp is really terrible protocol and it is hard to get it right and secure :/

ansasaki closed this task as Wontfix.Fri, Jun 19, 5:42 PM
ansasaki claimed this task.
ansasaki added a subscriber: ansasaki.

Hello @tbuerli,

We tried to keep those wildcards working when we introduced the fix for CVE-2019-14889, but we couldn't.

To fix the issue we decided to single quote the whole path string before sending it to the server to avoid parts of it to be interpreted as a command. As a side-effect, the server would not perform the expansions of the wildcards.

The alternative would be to create heuristics to decide what are not dangerous and keep those parts out of the single quoted string. We decided to avoid the risk of making mistakes and also the cost to develop such rules.

Unfortunately, I will close this as we don't plan to fix it. As @Jakuje suggested before, I recommend using SFTP if possible.