[Bug 2253] New: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping, arg-sep and metachar issues
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jul 8 16:35:26 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2253
Bug ID: 2253
Summary: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping,
arg-sep and metachar issues
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: ringerc at ringerc.id.au
Hi all
I've recently noticed that it's quite tricky to get a remote OpenSSH
command to be invoked with the correct arguments, especially if using a
command= specifier in a public key entry with "$SSH_ORIGINAL_COMMAND".
When ssh is invoked, any argument quoting is consumed by the calling
shell. ssh then passes the command to sshd, where it's stored in
SSH_ORIGINAL_COMMAND. However, no escaping is performed by ssh or sshd
to ensure that shell metacharacters are escaped and whitespace regions
within arguments aren't treated as argument separators.
In a normal shell, one uses "$@", which is the
argument-separation-and-metachar aware version of "$*".
OpenSSH lacks any equivalent. It needs one to make it possible to use
SSH_ORIGINAL_COMMAND securely without making arbitrary rules ("the
command may not contain any shell metachars and spaces within arguments
are not permitted").
It really needs a $SSH_ESCAPED_ORIGINAL_COMMAND .
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list