+++ This bug was initially created as a clone of Bug #168167 +++ Description of problem: scp currently implements local-to-local copy by constructing a command line using 'cp' in a string and then using system(). Beside the fact the using system() is really always wrong (only lazy people use it) which has the added problem that the file name is exposed twice to shell expansion. The file name could contain characters which need quoting, like $ or spaces. This second expansion must be avoided. Version-Release number of selected component (if applicable): openssh-clients-4.2p1-1.x86_64 How reproducible: always Steps to Reproduce: 1.touch foo\ bar 2.mkdir somedir 3.scp foo\ bar somedir Actual results: cp: cannot stat `foo': No such file or directory cp: cannot stat `bar': No such file or directory Expected results: no message, file copied Additional info: I'll attach a patch. Upstream would probably not like it but it glibc is advanced enough to provide the necessary functions. There are also a few more places where I've seen TEMP_FAILURE_RETRY or equivalent code missing. -- Additional comment from drepper on 2005-09-13 00:46 EST -- Things are even bleaker than this, so I mention this separately and private. If some manages to trick somebody to use scp like scp '$(touch yyy)' somedir which should be harmless, one sees that the subexpression is executed because of the double shell expansion. -- Additional comment from bressers on 2005-09-19 15:53 EST -- Yes, this is a security issue. I spent some time looking at this today, and this distrubs me: bress@link:/tmp/josh% ls -l total 4 drwxrwxr-x 2 bress bress 4096 Sep 19 14:51 a -rw-rw-r-- 1 bress bress 0 Sep 19 14:51 `touch feh` bress@link:/tmp/josh% scp * a cp: omitting directory `a' cp: missing destination file Try `cp --help' for more information. zsh: exit 1 scp * a bress@link:/tmp/josh% ls -l total 4 drwxrwxr-x 2 bress bress 4096 Sep 19 14:51 a -rw-rw-r-- 1 bress bress 0 Sep 19 14:52 feh -rw-rw-r-- 1 bress bress 0 Sep 19 14:51 `touch feh` While I know most people don't use scp to move files around their local system, I do leave off the trailing : quite often. -- Additional comment from tmraz on 2005-09-28 16:51 EST -- Created an attachment (id=119390) This patch uses fork + exec instead of posix_spawnp This patch uses fork + exec instead of posix_spawnp and also fixes the remote to remote copy.
Created attachment 123579 [details] Patch used in FC4 and FC5 packages
Thanks for the patch Tomas. I have backported it to all the Fedora Legacy releases. Updated packages with it can be found in bug 168935.
*** This bug has been marked as a duplicate of 168935 ***