Re: New draft-draft of sftp...

[daw%mozart.cs.berkeley.edu@localhost (David Wagner)]

Jeffrey Altman  wrote:
>I am going to have to think about this concern for a bit.  However, my
>initial reaction is that if the host has been hacked so that daemon
>services are replaced then I think you are in bigger trouble.  At that
>point you can't count on the contents of any of the files you may
>receive from that server.  Depending on what they are you will be hosed.

I don't agree.  Suppose I run the following from my home directory:
   scp server:pretty*.jpg .
Ok, so if the server is malicious, I can't count on the contents
of those jpg files.  Big deal -- the worst that happens is those
pictures don't look so pretty to me, and I delete them.  This sounds
like a fairly manageable risk to me.

But now suppose that the server is malicious and, unbeknownst to
me, it returns a file that overwrites my ~/.forward file with the
contents
  "|/bin/sh"
Notice that now the server can send me email and cause arbitrary
commands to be run under my account.  The server thus gains complete
control of my account, and possibly of my machine.  This is a much
more serious consequence, and one that I never would have expected.

In other words, I don't agree that if the server is hacked you're
in bigger trouble anyway.  It looks to me like the globbing issue
might make problems much more severe than they would have been in
the absence of server-side globbing.