From b67eb12f013c5441bb4f0893a97533582ad4eb13 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 5 Jul 2021 00:25:42 +0000
Subject: upstream: allow spaces to appear in usernames for local to remote,

and scp -3 remote to remote copies. with & ok dtucker bz#1164

OpenBSD-Commit-ID: e9b550f3a85ffbb079b6720833da31317901d6dd
---
 scp.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'scp.c')

diff --git a/scp.c b/scp.c
index d23f34c1..cc2dcc37 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.214 2021/04/03 06:18:40 djm Exp $ */
+/* $OpenBSD: scp.c,v 1.215 2021/07/05 00:25:42 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -915,10 +915,6 @@ toremote(int argc, char **argv)
 			goto out;
 		}
 	}
-	if (tuser != NULL && !okname(tuser)) {
-		++errs;
-		goto out;
-	}
 
 	/* Parse source files */
 	for (i = 0; i < argc - 1; i++) {
@@ -953,6 +949,15 @@ toremote(int argc, char **argv)
 			(void) close(remout);
 			remin = remout = -1;
 		} else if (host) {	/* standard remote to remote */
+			/*
+			 * Second remote user is passed to first remote side
+			 * via scp command-line. Ensure it contains no obvious
+			 * shell characters.
+			 */
+			if (tuser != NULL && !okname(tuser)) {
+				++errs;
+				continue;
+			}
 			if (tport != -1 && tport != SSH_DEFAULT_PORT) {
 				/* This would require the remote support URIs */
 				fatal("target port not supported with two "
-- 
cgit v1.2.1