summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/scp.c
AgeCommit message (Collapse)Author
2019-09-09Fix potential truncation warning. ok deraadt.Darren Tucker
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-02-10when checking that filenames sent by the server side match what theDamien Miller
client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@
2019-01-27add -T to usage();Jason McIntyre
2019-01-26check in scp client that filenames sent during remote->local directoryDamien Miller
copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@
2019-01-24Have progressmeter force an update at the beginning and end of eachDarren Tucker
transfer. Fixes the problem recently introduces where very quick transfers do not display the progressmeter at all. Spotted by naddy@
2019-01-23Sanitize scp filenames via snmprintf. To do this we move theDarren Tucker
progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@
2019-01-21Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)Theo Buehler
to match ssh(1)'s interface. ok djm
2018-11-16disallow empty incoming filename or ones that refer to the currentDamien Miller
directory; based on report/patch from Harry Sintonen
2018-06-01Apply umask to all incoming files and directories not just files.Darren Tucker
This makes sure it gets applied to directories too, and prevents a race where files get chmodded after creation. bz#2839, ok djm@
2018-04-10lots of typos in comments/docs. Patch from Karsten Weiss after checkingDamien Miller
with codespell tool (https://github.com/lucasdemarchi/codespell)
2018-02-10Disable RemoteCommand and RequestTTY in the ssh session started byDamien Miller
scp. sftp is already doing this. From Camden Narzt via github; ok dtucker
2017-12-18Add helper function for uri handing in scp where a missing pathTodd C. Miller
simply means ".". Also fix exit code and add warnings when an invalid uri is encountered. OK otto@
2017-10-21Add URI support to ssh, sftp and scp. For example ssh://user@hostTodd C. Miller
or sftp://user@host/path. The connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses md5 with no way to specify the hash function type. OK djm@
2017-05-31Switch to recallocarray() for a few operations. Both growth and shrinkageTheo de Raadt
are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus
2017-05-02remove options -12 from usage();Jason McIntyre
2017-04-30exterminate the -1 flag from scpDamien Miller
ok markus@
2017-04-28Avoid relying on implementation-specific behavior when detectingTodd C. Miller
whether the timestamp or file size overflowed. If time_t and off_t are not either 32-bit or 64-bit scp will exit with an error. OK djm@
2017-04-27Avoid potential signed int overflow when parsing the file size.Todd C. Miller
Use strtoul() instead of parsing manually. OK djm@
2016-09-12Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitionsTheo de Raadt
rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
2016-05-25To prevent screwing up terminal settings when printing to theIngo Schwarze
terminal, for ASCII and UTF-8, escape bytes not forming characters and bytes forming non-printable characters with vis(3) VIS_OCTAL. For other character sets, abort printing of the current string in these cases. In particular, * let scp(1) respect the local user's LC_CTYPE locale(1); * sanitize data received from the remote host; * sanitize filenames, usernames, and similar data even locally; * take character display widths into account for the progressmeter. This is believed to be sufficient to keep the local terminal safe on OpenBSD, but bad things can still happen on other systems with state-dependent locales because many places in the code print unencoded ASCII characters into the output stream. Using feedback from djm@ and martijn@, various aspects discussed with many others. deraadt@ says it should go in now, i probably already hesitated too long
2016-03-02Improve accuracy of reported transfer speeds by waiting for the ack fromDarren Tucker
the other end. Pointed out by mmcc@, ok deraadt@ markus@
2015-11-27pledge "stdio rpath wpath cpath fattr tty proc exec" except for theTheo de Raadt
-p option (which sadly has insane semantics...) ok semarie dtucker
2015-10-160 -> NULL when comparing with a char*.mmcc
ok dtucker@, djm@.
2015-04-24rename xrealloc() to xreallocarray() since it follows that form.Theo de Raadt
ok djm
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2014-06-24when copying local->remote fails during read, don't send uninitialisedDamien Miller
heap to the remote end. Reported by Jann Horn
2013-11-20unsigned casts for ctype macros where neccessaryTheo de Raadt
ok guenther millert markus
2013-06-22improved time_t overflow check suggested by guenther@Damien Miller
2013-06-21make this -Wsign-compare clean after time_t conversionDamien Miller
2013-06-17Handle time_t values as long long's when formatting them and whenPhilip Guenther
parsing them from remote servers. Improve error checking in parsing of 'T' lines. ok dtucker@ deraadt@
2013-06-04use MAXPATHLEN for buffer size instead of fixed value. ok markusDarren Tucker
2013-06-01Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. PatchDarren Tucker
from Nathan Osman via bz#2085. ok deraadt.
2013-05-17bye, bye xfree(); ok markus@Damien Miller
2013-05-16Fix some "unused result" warnings found via clang and -portable. ok markus@Darren Tucker
2011-09-09suppress adding '--' to remote commandlines when the first argumentDamien Miller
does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms; feedback & ok dtucker ok markus
2010-12-09scp.1: grammer fixJason McIntyre
scp.c: add -3 to usage()
2010-12-08add a new -3 option to scp: Copies between two remote hosts areMarkus Friedl
transferred through the local host. Without this option the data is copied directly between the two remote hosts. ok djm@ (bugzilla #1837)
2010-11-26Pass through ssh command-line flags and options when doing remote-remoteDamien Miller
transfers, e.g. to enable agent forwarding which is particularly useful in this case; bz#1837 ok dtucker@
2010-09-22add an option per-read/write callback to atomicioDamien Miller
factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism add a bandwidth limit option to sftp(1) using the above "very nice" markus@
2010-07-01Fix a longstanding problem where if you suspend scp at theTodd C. Miller
password/passphrase prompt the terminal mode is not restored. OK djm@
2009-12-20When passing user-controlled options with arguments to other programs,Philip Guenthe
pass the option and option argument as separate argv entries and not smashed into one (e.g., as -l foo and not -lfoo). Also, always pass a "--" argument to stop option parsing, so that a positional argument that starts with a '-' isn't treated as an option. This fixes some error cases as well as the handling of hostnames and filenames that start with a '-'. Based on a diff by halex@ ok halex@ djm@ deraadt@
2008-10-10spelling in comment; ok djm@Kevin Steves
2008-06-13Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@Darren Tucker
2008-01-01If scp -p encounters a pre-epoch timestamp, use the epoch which isDarren Tucker
as close as we can get given that it's used unsigned. Add a little debugging while there. bz #828, ok djm@
2007-10-24factor out network read/write into an atomicio()-like function, and use itDamien Miller
to handle short reads, apply bandwidth limits and update counters. make network IO non-blocking, so a small trickle of reads/writes has a chance of updating the progress meter; bz #799 ok dtucker@
2007-08-06the ellipsis is not an optional argument; while here, sync the usageIgor Sobrado
and synopsis of commands lots of good ideas by jmc@ ok jmc@
2007-06-13don't ftruncate() non-regular files; bz#1236 reported by wood AT xmission.com;Damien Miller
ok dtucker@
2007-06-12Encode filename with strnvis if the name contains a newline (which can'tDarren Tucker
be represented in the scp protocol), from bz #891. ok markus@
2007-06-12make scp try to skip FIFOs rather than blocking when nothing is listening.Damien Miller
depends on the platform supporting sane O_NONBLOCK semantics for open on FIFOs (apparently POSIX does not mandate this), which OpenBSD does. bz #856; report by cjwatson AT debian.org; ok markus@