Re: SCP a file in my home folder

[Jakub Jelen <jjelen@xxxxxxxxxx>]

On Wed, 2020-06-17 at 09:22 +0200, Guy Morand wrote:
> Hallo libssh developers,
> 
> I would like to copy a file on a remote device using libssh. With
> 0.8.7, 
> it was working great with something like:
> 
> ```
> _scp_handle = ssh_scp_new(_ssh_session, SSH_SCP_WRITE, "~");
> // ....
> ssh_scp_push_file(_scp_handle, "my-file.txt",
>                    _update_package.size(), 0666)
> ```
> 
> But with newer version, this result in a file called "~" in my home 
> folder. The home folder is not in the standard "/home/" directory,
> and 
> don't want to hard code the path.
> 
> 
> Without being 100% sure, I suspect this problem was introduced when 
> fixing CVE-2019-14889.

Hi,
you are right. This change is related to the CVE-2019-14889 [1].
Previously, no escaping was done and using maliciously crafted
arguments can cause execution or arbitrary commands on server.

Previously, the tilde expansion was happening in the remove shell,
which is now prevented. Indeed, it is not ideal as it breaks previously
working use cases.

> What am I doing wrong? Any suggestion?

Would it work for you to use SFTP? It has nicer API and should come
with less surprises.

[1] https://www.libssh.org/security/advisories/CVE-2019-14889.txt

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.