[Bug 2766] New: support "--" to disambiguate option and non-option arguments
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Aug 26 01:33:15 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2766
Bug ID: 2766
Summary: support "--" to disambiguate option and non-option
arguments
Product: Portable OpenSSH
Version: 7.5p1
Hardware: Other
URL: https://bugs.debian.org/873201
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: cjwatson at debian.org
I'm forwarding verbatim a bug report from Thorsten Glaser (also at the
attached URL). The intemperate language is not mine, but I decided
against editing it.
ssh of course doesn't document "--" as part of its interface, so IMO
all the uses of "should" here are with reference to an idealised
interface rather than the documentation. Nevertheless, it does seem
that it would be extremely useful to have a reliable way to
disambiguate between options to ssh itself and options that should be
passed to the remote command.
---
Subject: command line parsing with -- between option and non-option
arguments completely broken
Hi,
in the process of me fixing CVE-2017-12836 a user noticed a
problem with OpenSSH’s command line parsing.
I’ve verified these on OpenSSH 5.3 (MirBSD) and 7.5p1 (Debian).
So, to begin with, this command _should_ spawn xeyes:
$ ssh -oProxyCommand=xeyes vuxu.org
This command _could_ spawn xeyes on glibc systems, but
probably shouldn’t on POSIX or BSD systems:
$ ssh vuxu.org -oProxyCommand=xeyes
This command properly does not spawn xeyes but tries to
resolve “-oProxyCommand=xeyes” as hostname, correctly failing:
$ ssh -- -oProxyCommand=xeyes
This command *must not* spawn xeyes, but does:
$ ssh -- vuxu.org -oProxyCommand=xeyes
This instead must execute “-oProxyCommand=xeyes” as command
on the remote side.
Interestingly enough, this command works the same and also
mustn’t but also doesn’t:
$ ssh vuxu.org -- -oProxyCommand=xeyes
Now it gets completely weird, this doesn’t spawn xeyes either:
$ ssh -- vuxu.org -- -oProxyCommand=xeyes
This “should” execute “--” as command with “-oProxyCommand=xeyes”
as its first option on the remote site, but judging from the error
| mksh: ProxyCommand=xeyes: unknown option
it instead passes “-oProxyCommand=xeyes” as option to a shell on
the remote side.
I don’t do the security theatre, but this could perhaps be considered
missing command escaping on the remote side (passing what would be a
command as an option to the remote shell) in addition to completely
fucked up option parsing on the local side.
This was first reported by nickserv-auth’d user jn__ on #musl on
Freenode IRC, and leah2 forwarded it to me as current de-facto
maintainer of GNU CVS because I considered adding “--” between
option and nōn-option arguments sufficient for fixing the afore‐
mentioned CVE, judging this effective enough with normal command
line parsing rules (as in getopt(3) on OpenBSD) and given the
.Sx SYNOPSIS
in the ssh manpage.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list