[Bug 1762] Improve the documentation w.r.t. "the user's shell"

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Apr 7 13:27:53 AEST 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=1762

imoverclocked at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |security
                 CC|                            |imoverclocked at gmail.com
          Component|Documentation               |ssh
            Version|5.5p1                       |7.4p1

--- Comment #2 from imoverclocked at gmail.com ---
Given the URL in a web browser: 

  "ssh://user@somehost.%60id%3E%2Ftmp%2Fwhoami%60.example.com"

iTerm2 currently launches ssh with a hostname of: 

  somehost.`id>/tmp/whoami`.example.com

With a vanilla SSH configuration this is ok since SSH errors out with
"host not found." However, with a special SSH configuration, a website
can execute an arbitrary command:

```
Host *
  ProxyCommand connect_to %r %h
```

What happened:

  `id>/tmp/whoami` was executed.

What should have happened instead:

1) SSH passes %r/%h as an argument to the ProxyCommand without shell
interpolation
2) %h should be validated to adhere to valid punycode
3) Introduce a SafeProxyCommand that only allows safe characters in
%r/%h/etc...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list