Package: rssh
Version: 2.3.4-4+deb8u2
Severity: important
Since our fileserver auto patched to rssh 2.3.4-4+deb8u2 this morning, our
automated scp requests have been failing if we try get multiple files from the
server in one wildcarded request.
So to recreate
---------
$ scp u...@example.com://directory//file.x86_64_*.*.zip .
The authenticity of host 'example.com (192.168.60.224)' can't be established.
ECDSA key fingerprint is ########################
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com (192.168.60.224)' (ECDSA) to the list
of known hosts.
insecure scp option not allowed.
This account is restricted by rssh.
Allowed commands: scp sftp rsync
If you believe this is in error, please contact your system administrator.
----------
where example.com://directory//file.x86_64_*.*.zip matched 2 or more files
Moving files from the fileserver until there's only one match results in a
successful download.
Not using wildcards is also ok.
I believe this was caused by the new method " static int scp_okay( char **vec )
" which seems to deliberately fail if there are multiple files seen. The end of
the loop seems designed to fail if saw_file is already true?
---------------------
+/*
+ * scp_okay() - take the command line and check that it is a hopefully-safe scp
+ * server command line, accepting only very specific options.
+ * Returns FALSE if the command line should not be allowed, TRUE
+ * if it is okay.
+ */
+static int scp_okay( char **vec )
+{
+ int saw_file = FALSE;
+ int saw_end = FALSE;
+
+ for ( vec++; vec && *vec; vec++ ){
+ /* Allowed options. */
+ if ( !saw_end ) {
+ if ( strcmp(*vec, "-v") == 0 ) continue;
+ if ( strcmp(*vec, "-r") == 0 ) continue;
+ if ( strcmp(*vec, "-p") == 0 ) continue;
+ if ( strcmp(*vec, "-d") == 0 ) continue;
+ if ( strcmp(*vec, "-f") == 0 ) continue;
+ if ( strcmp(*vec, "-t") == 0 ) continue;
+ }
+
+ /* End of arguments. One more argument allowed after this. */
+ if ( !saw_end && strcmp(*vec, "--") == 0 ){
+ saw_end = TRUE;
+ continue;
+ }
+
+ /* No other options allowed, but allow file starting with -. */
+ if ( *vec[0] == '-' && !saw_end ) return FALSE;
+ if ( saw_file ) return FALSE;
+ saw_file = TRUE;
+ }
+
+ /* We must have seen a single file. */
+ return saw_file;
+}
--------------
This is on an Ubuntu14:04 machine. I've marked it "severity important" as it's
a regression that caused a set of 3 fileservers who'd been happy for ~ 5 years
to stop serving the required files and took a fair while to debug as this was
an automated process and we didn't suspect a fileservr change for a fair while.
I hope this is explanatory enough but please ask for more details if needed.
thanks
Martin
