[Bug 3677] Proper excaping for ssh remote command line
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Mar 4 11:38:24 AEDT 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3677
--- Comment #2 from Daniel <sshbug24.10.hackie at recursor.net> ---
If the exec channel is a single string (I didn't know that), then ssh
should only accept one argument.
Accepting multiple arguments and then doing some kind of wrong
concatenation (wrong because it is incompatible with the usual shells)
is a potential attack vector because the magic hides the actual
limitation.
I have use cases like these:
ssh me at myserver tar c "/home/me/My Files" --exclude="*.bak" | tar xC
/localdestination/
These are almost impossible to implement using the current
implementation, while the following commands work
sudo -- tar c "/home/me/My Files" --exclude="*.bak" | tar xC
/localdestination/
ionice -- tar c "/home/me/My Files" --exclude="*.bak" | tar xC
/localdestination/
nice -- tar c "/home/me/My Files" --exclude="*.bak" | tar xC
/localdestination/
fakeroot -- tar c "/home/me/My Files" --exclude="*.bak" | tar xC
/localdestination/
or a different case:
on a server, do mkdir "a /" (note the space)
then, try to remove it including contends by remote command:
ssh me at myserver rm -rf "a /"
this command will remove all files from the server, but this was never
ever expected by the user..
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list