Back when CVE-2020-15778 came out, there was an ongoing thread on openssh-unix-dev@ about deprecating scp. The main problem that I noticed from the dialogue was that the community felt (paraphrasing and summarizing) that "If you support scp on your server, you should know to filter backticks." There was little interest in changing the behavior (understandable - this breaks backwards compatibility) nor in updating the man pages and other documentation to note this was an issue. I felt that the latter was where scp showed its legacy. Security should be built into products by default, not a series of "gotchas" that users manually configure against.
I love the idea of having a 'secure with default settings' version of scp that functions with the same syntax. I think that would be great to get users to use by default and avoid the footguns that comes with default scp.
I love the idea of having a 'secure with default settings' version of scp that functions with the same syntax. I think that would be great to get users to use by default and avoid the footguns that comes with default scp.