Improve documentation of the SCP wildcard safety issue: in

particular, mention that doing an SCP wildcard download into a clean
directory is adequate protection against a malicious server trying
to overwrite your files.

git-svn-id: svn://svn.tartarus.org/sgt/putty@5279 cda61777-01e9-0310-a592-d414129be87e

diff --git a/doc/pscp.but b/doc/pscp.but
index 4485b9b..0b26d72 100644 (file)
--- a/doc/pscp.but
+++ b/doc/pscp.but
@@ -96,10 +96,10 @@ direction, like this:
 
 However, in the second case (using a wildcard for multiple remote
 files) you may see a warning saying something like \q{warning:
-remote host tried to write to a file called 'terminal.c' when we
-requested a file called '*.c'. If this is a wildcard, consider
-upgrading to SSH 2 or using the '-unsafe' option. Renaming of this
-file has been disallowed}.
+remote host tried to write to a file called \cq{terminal.c} when we
+requested a file called \cq{*.c}. If this is a wildcard, consider
+upgrading to SSH 2 or using the \cq{-unsafe} option. Renaming of
+this file has been disallowed}.
 
 This is due to a fundamental insecurity in the old-style SCP
 protocol: the client sends the wildcard string (\c{*.c}) to the
@@ -128,7 +128,11 @@ happen. However, you should be aware that by using this option you
 are giving the server the ability to write to \e{any} file in the
 target directory, so you should only use this option if you trust
 the server administrator not to be malicious (and not to let the
-server machine be cracked by malicious people).
+server machine be cracked by malicious people). Alternatively, do
+any such download in a newly created empty directory. (Even in
+\q{unsafe} mode, PSCP will still protect you against the server
+trying to get out of that directory using pathnames including
+\cq{..}.)
 
 \S2{pscp-usage-basics-user} \c{user}