From 946e749131df157c57a081b17b406b80b0605d5e Mon Sep 17 00:00:00 2001
From: pm_cz <moravecp.cz+gk@gmail.com>
Date: Thu, 24 Jan 2019 11:27:36 +0100
Subject: [PATCH] Suggested changes preventing code injection

---
 .../main/java/cz/it4i/fiji/scpclient/ScpClient.java   | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/java-scpclient/src/main/java/cz/it4i/fiji/scpclient/ScpClient.java b/java-scpclient/src/main/java/cz/it4i/fiji/scpclient/ScpClient.java
index 2f3dc3b6..9b2d4baf 100644
--- a/java-scpclient/src/main/java/cz/it4i/fiji/scpclient/ScpClient.java
+++ b/java-scpclient/src/main/java/cz/it4i/fiji/scpclient/ScpClient.java
@@ -126,6 +126,10 @@ public class ScpClient implements Closeable {
 	{
 		AckowledgementChecker ack = new AckowledgementChecker();
 		// exec 'scp -f rfile' remotely
+
+		lfile=lfile.replace("'", "'\"'\"'");
+		lfile="'"+lfile+"'";
+
 		String command = "scp -f " + lfile;
 		Channel channel = getConnectedSession().openChannel("exec");
 
@@ -265,6 +269,10 @@ public class ScpClient implements Closeable {
 	public long size(String lfile) throws JSchException, IOException {
 		AckowledgementChecker ack = new AckowledgementChecker();
 		// exec 'scp -f rfile' remotely
+
+		lfile=lfile.replace("'", "'\"'\"'");
+		lfile="'"+lfile+"'";
+
 		String command = "scp -f " + lfile;
 		Channel channel = getConnectedSession().openChannel("exec");
 
@@ -410,6 +418,9 @@ public class ScpClient implements Closeable {
 		AckowledgementChecker ack = new AckowledgementChecker();
 		boolean ptimestamp = false;
 		// exec 'scp -t rfile' remotely
+
+		fileName=fileName.replace("'", "'\"'\"'");
+
 		String command = "scp " + (ptimestamp ? "-p" : "") + " -t '" + fileName + "'";
 		Channel channel = getConnectedSession().openChannel("exec");
 		((ChannelExec) channel).setCommand(command);
-- 
GitLab