On Wed, 4 Nov 2020 at 11:39, Michael Hennebry < henne...@web.cs.ndsu.nodak.edu> wrote:
> I've not used sftp at all. > I've only used scp when I had control at both ends. > > On Wed, 4 Nov 2020, George N. White III wrote: > > > This is due to a fundamental insecurity in the old-style SCP protocol: > the > > client sends the wildcard string (*.c) to the server, and the server > sends > > back a sequence of file names that match the wildcard pattern. However, > > there is nothing to stop the server sending back a different pattern and > > writing over one of your other files: if you request *.c, the server > might > > send back the file name AUTOEXEC.BAT and install a virus for you. Since > the > > wildcard matching rules are decided by the server, the client cannot > > reliably verify that the filenames sent back match the pattern. > > In this particular case, I'd think the client > could tell that a .BAT file was not a .c file. > Downloading 1000's of files resulting from some HPC calculation it would be easy to overlook an unwanted file. > There is only so much any protocol can do about a malicious server. > Even if the client explicitly specifies a server file, > there is no guarantee that the server will send a correct copy. > Those HPC systems can have many users, all with write access to shared data spaces; one compromised user workstation could be used to place malware where scp might find it. It is more of a concern now that user workstations have moved into people's homes outside the enterprise LAN's. -- George N. White III
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
