[Bug 2253] New: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping, arg-sep and metachar issues

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jul 8 16:35:26 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2253

            Bug ID: 2253
           Summary: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping,
                    arg-sep and metachar issues
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: ringerc at ringerc.id.au

Hi all

I've recently noticed that it's quite tricky to get a remote OpenSSH
command to be invoked with the correct arguments, especially if using a
command= specifier in a public key entry with "$SSH_ORIGINAL_COMMAND".

When ssh is invoked, any argument quoting is consumed by the calling
shell. ssh then passes the command to sshd, where it's stored in
SSH_ORIGINAL_COMMAND. However, no escaping is performed by ssh or sshd
to ensure that shell metacharacters are escaped and whitespace regions
within arguments aren't treated as argument separators.

In a normal shell, one uses "$@", which is the
argument-separation-and-metachar aware version of "$*".

OpenSSH lacks any equivalent. It needs one to make it possible to use
SSH_ORIGINAL_COMMAND securely without making arbitrary rules ("the
command may not contain any shell metachars and spaces within arguments
are not permitted").

It really needs a $SSH_ESCAPED_ORIGINAL_COMMAND .

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list