===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/scp.c,v
retrieving revision 1.214
retrieving revision 1.215
diff -u -r1.214 -r1.215
--- src/usr.bin/ssh/scp.c	2021/04/03 06:18:40	1.214
+++ src/usr.bin/ssh/scp.c	2021/07/05 00:25:42	1.215
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.214 2021/04/03 06:18:40 djm Exp $ */
+/* $OpenBSD: scp.c,v 1.215 2021/07/05 00:25:42 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -888,10 +888,6 @@
 			goto out;
 		}
 	}
-	if (tuser != NULL && !okname(tuser)) {
-		++errs;
-		goto out;
-	}
 
 	/* Parse source files */
 	for (i = 0; i < argc - 1; i++) {
@@ -926,6 +922,15 @@
 			(void) close(remout);
 			remin = remout = -1;
 		} else if (host) {	/* standard remote to remote */
+			/*
+			 * Second remote user is passed to first remote side
+			 * via scp command-line. Ensure it contains no obvious
+			 * shell characters.
+			 */
+			if (tuser != NULL && !okname(tuser)) {
+				++errs;
+				continue;
+			}
 			if (tport != -1 && tport != SSH_DEFAULT_PORT) {
 				/* This would require the remote support URIs */
 				fatal("target port not supported with two "