SSH2 Filesystem transport; Multiple issues
|Reported by:||DD32||Owned by:|
|Severity:||normal||Keywords:||has-patch needs-testing tested|
The SSH2 filesystem transport appears to have a few issues:
- Filenames with multiple dashes cannot be created
- eg: cforms has a file -----HISTORY.txt which cannot be created
- Filenames are not properly escaped before being escaped
- eg: run_command($this->link, sprintf('ls -lad %s', $file)); instead of say run_command($this->link, sprintf('ls -lad "%s"', $file)); or better: run_command($this->link, sprintf('ls -lad "%s"', escapeshellarg($file) ) );
- escapeshellarg() or one unique to the SSH2 transport should be used on such files
- While not specifically a defect, using @fopen('ssh2.sftp://' instead of ssh2_scp_recv() can be much faster according to the PHP docs, It also avoids having to use a temporary file, as you can read it straight into a variable.
I'm going to attach a patch thats a bit of POC, It doesnt "fix" anything mentioned here, just a start towards it, and highlights the areas which need attention.
Change History (15)
- Component changed from General to Upgrade
- Keywords has-patch commit added
- Milestone changed from 2.8 to 2.7
- Owner anonymous deleted