Hi! I'm not sure is that a bug or a future. Since SCP doesn't escape filenames it's possible to execute an arbitrary command: localhost:~$ scp 'mchome:foo;echo 123 > foo' /tmp/foo scp: foo: No such file or directory localhost:~$ scp 'mchome:foo;echo 123 > foo' /tmp/foo foo 100% 4 0.0KB/s 00:00 localhost:~$ cat /tmp/foo 123 I've traced it and it seems to me that scp is executing the following command on remote side: scp -f -- foo;echo 123 > foo
the client side scp can't escape the filenames because it does not know what shell is on the other end or what its quoting rules are (and "fixing" this on the client side doesn't help security anyway). the command gets run by the remote shell regardless of what the remote scp does (you can delete scp from the remote side entirely and it'll still happen). If you want to prevent this, you need to enforce it in the remote shell eg with a restricted shell of some type (scponly and rssh are example I'm aware of, but I can't vouch for them).
Like Darren said, this is an unfixable limitation of scp. If you need file-transfer that doesn't require shell access then use ForceCommand and sftp
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1