From 14dc468b70ea4d4b37e805f3c82bc5d07faecaa0 Mon Sep 17 00:00:00 2001
From: David Anderson <github.com@dw-perspective.org.uk>
Date: Thu, 4 Dec 2014 16:50:23 +0000
Subject: [PATCH] Quote shell argument with escapeshellarg()

Currently, the call to "scp -t" or "scp -f" just uses naive quoting - i.e. a couple of quote marks are thrown in.

But, this can easily be escaped from - if the filename has a quote mark of its own in it, for example.

e.g. if the filename is as follows, then bad things will happen:

 ";rm -rf /

Instead, escapeshellarg should be used, to make sure it gets escaped properly.
---
 phpseclib/Net/SCP.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/phpseclib/Net/SCP.php b/phpseclib/Net/SCP.php
index 389265eb..64e372d3 100644
--- a/phpseclib/Net/SCP.php
+++ b/phpseclib/Net/SCP.php
@@ -170,7 +170,7 @@ class Net_SCP
             return false;
         }
 
-        if (!$this->ssh->exec('scp -t "' . $remote_file . '"', false)) { // -t = to
+        if (!$this->ssh->exec('scp -t ' . escapeshellarg($remote_file), false)) { // -t = to
             return false;
         }
 
@@ -244,7 +244,7 @@ class Net_SCP
             return false;
         }
 
-        if (!$this->ssh->exec('scp -f "' . $remote_file . '"', false)) { // -f = from
+        if (!$this->ssh->exec('scp -f ' . escapeshellarg($remote_file), false)) { // -f = from
             return false;
         }