command [argument ...] in ssh(1): a footgun
Mingye Wang (Artoria2e5)
arthur2e5 at aosc.io
Fri May 26 18:33:06 AEST 2023
Hi,
ssh(1) currently affords an argument-passing functionality, but as the
manpage states, all arguments are simply concatenated by space. This
behavior is non-obvious for those reading only the synopsis: one would
expect something that takes argv input to somehow preserve the argument
boundary and not, say, let a semicolon ruin all the fun. This is
probably old news for all of you.
I have two proposals for dealing with this problem. One modest, one less
so.
The modest proposal is that we put a giant CAVEATS section in the manual
page. Now this does not help anyone who won't read the manpage at all,
but at least by spelling it out we catch skim readers' attention. If
someone's code blows up with this assumption, we can at least say "we
told you so".
The less modest one is we throw out the "[argument ...]" part
altogether. It does not add much functionality, really: everything it
does can be achieved by putting a big quotation mark over the existing
arguments invocation. There is not much to lose by doing so, except for
the logistical costs of deprecation and removal.
What about escaping the arguments? Nobody said the user has to use a
POSIX shell, so we simply don't have a universal escape method. The
manual's DESCRIPTION section is a bit vague here: it does not specify
which shell is used. In truth, session.c runs the user's shell via the
`-c` option, not just the system POSIX shell via system().
Sincerely,
Mingye Wang (Artoria2e5)
More information about the openssh-unix-dev
mailing list