{"id":21207,"date":"2025-10-12T04:45:36","date_gmt":"2025-10-12T04:45:36","guid":{"rendered":"http:\/\/localhost\/?p=21207"},"modified":"2025-10-12T04:45:36","modified_gmt":"2025-10-12T04:45:36","slug":"curl-missing-enforcement-of-sftp-quote-syntax-can-lead-to-operation-on-wrong-object","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=21207","title":{"rendered":"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102"},"content":{"rendered":"

{“lastseen”:”2025-10-12T08:38:54″,”description”:”## Summary:\\ncurl supports `-Q` or `–quote` (and libcurl `CURLOPT_QUOTE`) to specify \\”commands\\” to execute for ftp and SFTP connections. The SFTP supports commands that perform operations on filesystem objects. When the object path has a filename, the caller is supposed to quote the parameter (example: `-Q ‘chmod 777 \\”\/tmp\/example file\\”‘`). However, due to libcurl quote command parser ignoring extra parameters, omitting the quotes (or attempting to use shell quoting) will let the command execute and the operation will be attempted on unintended object.\\n\\nThe curl man page mentions that “`Filenames may be quoted shell-style to embed spaces or special characters.“`. This statement is misleading, as shells allow many more ways to quote spaces, for example as `\\\\ `, something that curl does not support. This may lead to app developer assume that shell quoting rules apply. If some software trusts the documentation and generates quote commands assuming the shell quoting applies, this may lead to situation where operations can be performed on untended objects.\\n\\nNo AI was used in research or generation of this report. Stop the AI slop!\\n\\n## Affected version\\ncurl 8.16.0\\n\\n## Steps To Reproduce:\\nHave curl built `–with-libssh2` (or `–with-libssh`, but I tested `–with-libssh2 `)\\n\\n 1. on target server: `echo 1 \\u003e \/tmp\/example; echo 2 \\u003e\/tmp\/\\”example file\\”`\\n 2. `echo \\u003e t; curl -Q ‘chmod 777 \/tmp\/example file’ -T t sftp:\/\/user@server\/tmp\/t`\\n\\nAs a result `\/tmp\/example` is modified to have permissions 777, not `\/tmp\/example file` as was intended.\\n\\nAnother example:\\n 1. on target server: `echo 1 \\u003e \/tmp\/example\\\\\\\\; echo 2 \\u003e\/tmp\/\\”example file\\”`\\n 2. `echo \\u003e t; curl -Q ‘chmod 777 \/tmp\/example\\\\ file’ -T t sftp:\/\/user@server\/tmp\/t`\\n\\nAs a result `\/tmp\/example\\\\` is modified to have permissions 777, not `\/tmp\/example file` as was intended.\\n\\n\\n## Remediation\\n- Adjust the quote parser in lib\/vssh\/libssh2.c `sftp_quote` and lib\/vssh\/libssh.c `myssh_in_SFTP_QUOTE` to error out if excess parameters are given to command (indicating the caller has mistakenly attempted to give path with space without correct quoting).\\n- Fix the documentation to not claim `shell-style quoting`.\\n\\n## Impact\\n\\n## Summary:\\n- Operations performed on wrong object, with associated security impacts (unintended information disclosure, data loss)”,”published”:”2025-10-10T17:40:46″,”modified”:”2025-10-12T08:38:16″,”type”:”hackerone”,”title”:”curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object”,”source”:””,”references”:””,”id”:”H1:3379102″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3379102″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-10-12T08:38:54″,”description”:”## Summary:\\ncurl supports `-Q` or `–quote` (and libcurl `CURLOPT_QUOTE`) to specify \\”commands\\” to execute for ftp and SFTP connections. The SFTP supports commands that perform…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-21207","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\ncurl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=21207\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-10-12T08:38:54″,”description”:”## Summary:ncurl supports `-Q` or `–quote` (and libcurl `CURLOPT_QUOTE`) to specify ”commands” to execute for ftp and SFTP connections. The SFTP supports commands that perform...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=21207\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-12T04:45:36+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=21207#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=21207\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102\",\"datePublished\":\"2025-10-12T04:45:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=21207\"},\"wordCount\":501,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"hackerone\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=21207#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=21207\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=21207\",\"name\":\"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-10-12T04:45:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=21207#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=21207\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=21207#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=21207","og_locale":"en_US","og_type":"article","og_title":"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102 - zero redgem","og_description":"{“lastseen”:”2025-10-12T08:38:54″,”description”:”## Summary:ncurl supports `-Q` or `–quote` (and libcurl `CURLOPT_QUOTE`) to specify ”commands” to execute for ftp and SFTP connections. The SFTP supports commands that perform...","og_url":"https:\/\/zero.redgem.net\/?p=21207","og_site_name":"zero redgem","article_published_time":"2025-10-12T04:45:36+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=21207#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=21207"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102","datePublished":"2025-10-12T04:45:36+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=21207"},"wordCount":501,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","hackerone","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=21207#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=21207","url":"https:\/\/zero.redgem.net\/?p=21207","name":"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-10-12T04:45:36+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=21207#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=21207"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=21207#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object_H1:3379102"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/21207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21207"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/21207\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}