Description
## Summary:
curl supports `-Q` or `--quote` (and libcurl `CURLOPT_QUOTE`) to specify "commands" to execute for ftp and SFTP connections. The SFTP supports commands that perform operations on filesystem objects. When the object path has a filename, the caller is supposed to quote the parameter (example: `-Q 'chmod 777 "/tmp/example file"'`). However, due to libcurl quote command parser ignoring extra parameters, omitting the quotes (or attempting to use shell quoting) will let the command execute and the operation will be attempted on unintended object.
The curl man page mentions that ```Filenames may be quoted shell-style to embed spaces or special characters.```. This statement is misleading, as shells allow many more ways to quote spaces, for example as `\ `, something that curl does not support. This may lead to app developer assume that shell quoting rules apply. If some software trusts the documentation and generates quote commands assuming the shell quoting applies, this may lead to situation where operations can be performed on untended objects.
No AI was used in research or generation of this report. Stop the AI slop!
## Affected version
curl 8.16.0
## Steps To Reproduce:
Have curl built `--with-libssh2` (or `--with-libssh`, but I tested `--with-libssh2 `)
1. on target server: `echo 1 > /tmp/example; echo 2 >/tmp/"example file"`
2. `echo > t; curl -Q 'chmod 777 /tmp/example file' -T t sftp://user@server/tmp/t`
As a result `/tmp/example` is modified to have permissions 777, not `/tmp/example file` as was intended.
Another example:
1. on target server: `echo 1 > /tmp/example\\; echo 2 >/tmp/"example file"`
2. `echo > t; curl -Q 'chmod 777 /tmp/example\ file' -T t sftp://user@server/tmp/t`
As a result `/tmp/example\` is modified to have permissions 777, not `/tmp/example file` as was intended.
## Remediation
- Adjust the quote parser in lib/vssh/libssh2.c `sftp_quote` and lib/vssh/libssh.c `myssh_in_SFTP_QUOTE` to error out if excess parameters are given to command (indicating the caller has mistakenly attempted to give path with space without correct quoting).
- Fix the documentation to not claim `shell-style quoting`.
## Impact
## Summary:
- Operations performed on wrong object, with associated security impacts (unintended information disclosure, data loss)
curl supports `-Q` or `--quote` (and libcurl `CURLOPT_QUOTE`) to specify "commands" to execute for ftp and SFTP connections. The SFTP supports commands that perform operations on filesystem objects. When the object path has a filename, the caller is supposed to quote the parameter (example: `-Q 'chmod 777 "/tmp/example file"'`). However, due to libcurl quote command parser ignoring extra parameters, omitting the quotes (or attempting to use shell quoting) will let the command execute and the operation will be attempted on unintended object.
The curl man page mentions that ```Filenames may be quoted shell-style to embed spaces or special characters.```. This statement is misleading, as shells allow many more ways to quote spaces, for example as `\ `, something that curl does not support. This may lead to app developer assume that shell quoting rules apply. If some software trusts the documentation and generates quote commands assuming the shell quoting applies, this may lead to situation where operations can be performed on untended objects.
No AI was used in research or generation of this report. Stop the AI slop!
## Affected version
curl 8.16.0
## Steps To Reproduce:
Have curl built `--with-libssh2` (or `--with-libssh`, but I tested `--with-libssh2 `)
1. on target server: `echo 1 > /tmp/example; echo 2 >/tmp/"example file"`
2. `echo > t; curl -Q 'chmod 777 /tmp/example file' -T t sftp://user@server/tmp/t`
As a result `/tmp/example` is modified to have permissions 777, not `/tmp/example file` as was intended.
Another example:
1. on target server: `echo 1 > /tmp/example\\; echo 2 >/tmp/"example file"`
2. `echo > t; curl -Q 'chmod 777 /tmp/example\ file' -T t sftp://user@server/tmp/t`
As a result `/tmp/example\` is modified to have permissions 777, not `/tmp/example file` as was intended.
## Remediation
- Adjust the quote parser in lib/vssh/libssh2.c `sftp_quote` and lib/vssh/libssh.c `myssh_in_SFTP_QUOTE` to error out if excess parameters are given to command (indicating the caller has mistakenly attempted to give path with space without correct quoting).
- Fix the documentation to not claim `shell-style quoting`.
## Impact
## Summary:
- Operations performed on wrong object, with associated security impacts (unintended information disclosure, data loss)
Basic Information
ID
H1:3379102
Published
Oct 10, 2025 at 17:40
Modified
Oct 12, 2025 at 08:38