https://bugzilla.mindrot.org/show_bug.cgi?id=3693
--- Comment #2 from renmingshuai <[email protected]> --- (In reply to Damien Miller from comment #1) > No, it's not based on the protocol because it's local only. > > How could a server exploit this? There's no way for sftp to pass > server output to its command input unless the user explicitly > configures it. It is not sftp that passes the server output to its command input. The user's expect script captures the keyword "password" in the server's banner, and then input "!test" to sftp command input. For example: spawn sftp username@Host expect { "*assword*" {send --"! test\r"} } -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
