The article mentioned printf '%q ', but it is a bit hard to find. Here is a handy way to remember it.
First, define this function:
quote-argv() { printf '%q ' "$@"; }
# (uses subtle vectorization of printf over args)
ssh example.com "$(quote-argv ls 'file with spaces')"
ls: cannot access 'file with spaces': No such file or directory
$ ssh example.com ls 'file with spaces'
ls: cannot access 'file': No such file or directory
ls: cannot access 'with': No such file or directory
ls: cannot access 'spaces': No such file or directory
They should both only take a SINGLE arg.
It is basically a self-own because spaces are an OPERATOR in shell! (the operator that separates words)
When you concatenate operators and variables, then you are mixing code and data, which is a security problem.
---
As for the exec workaround, I think this is also deficiency of shell. Oils will probably grow an 'invoke' builtin which generalizes 'command' and 'builtin', which are non-orthogonal.
'command true' means "external or builtin" (disabling shell function lookup), but there should be something that means "external only".
> hidden argv join
It is not hidden. It is written down in plain sight:
A complete command line may be specified as command, or it may have additional arguments. If supplied, the arguments will be appended to the command, separated by spaces, before it is sent to the server to be executed.
It's hidden in the sense that it creates ambiguity at the usage site. Compare with sudo:
$ sudo ls 'file with spaces'
ls: cannot access 'file with spaces': No such file or directory
$ ssh example.com ls 'file with spaces'
ls: cannot access 'file': No such file or directory
ls: cannot access 'with': No such file or directory
ls: cannot access 'spaces': No such file or directory
$ ssh example.com "ls 'file with spaces'"
Accepting a shell string is sometimes OK, but silently joining multiple args is useless, and insecure.
"RTFM" is not a good answer when security is involved.
This stubborn attitude to refuse to consult the documentation at all and then expect the tool to work according to your preconceptions.
Tools do have rough edges, if you don't want to learn about them, you will get bitten.
This statement can be true without contradicting anything anyone said upstream. Otherwise could use it to justify just about any bad design decision.
Yes it’s in the docs. Yes people who carefully read the docs won’t get bitten. Also yes the design could be improved so people don’t make this mistake even without reading the docs.
Both things can be true. We’re currently only talking about the latter, though.
> We’re currently only talking about the latter, though.
I'm surprised, as i started this subthread explicitly to contest that the argv join is "hidden".
> Tools do have rough edges, if you don't want to learn about them, you will get bitten.
I presume you consider INTERCAL to be a sanely designed programming language.
I'm not defending SSH's design, im criticizing peoples unwillingness to learn about the design as it is so they can work around it.
Edit: The INTERCAL handbook is a great read, and despite being satirical, it is more detailed and qualified than the documentation of some other popular projects.
It’s a design mistake because it adds exactly zero functionality.
The only thing it adds is insecurity.
If the feature didn’t exist, then it wouldn’t need to be documented, and the world would be better.
That's honestly not particularly clear. It doesn't say the command will be invoked by a shell on the remote host. Sure the whole "separated by spaces" thing sorta implies it will, as spaces don't mean much to anything but a shell, but it's still fairly vague.
In fact, later on the man page only mentions a shell in the part that talks about the behavior when no additional arguments are given:
When the user's identity has been accepted by the server, the server either executes the given command in a non-interactive session or, if no command has been specified, logs into the machine and gives the user a normal shell as an interactive session.
A few lines later it gets even more confusing:
The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed.
> The wording "executes the given command" would generally not imply "I'll just throw it at $SHELL and see what happens".
"command" means exactly that. Evaluation by shell. With that in mind, the manual page should read less ambiguous to you.
I actually don't have a good source for that, but you can check the execve(2) manpage. If command would refer to the execution of an argument vector, it would have been mentioned in there.
The other meaning of "command" refers to specific programs like those in /bin.
Use ' %q' and you also fix the problem of program names starting with a dash.
Ah yes, that's clever:
$ sh -c "$(quote-argv -echo 'file with spaces')"
sh: 0: Illegal option -h
$ sh -c "$(quote-argv-left -echo 'file with spaces')"
sh: 1: -echo: not found
$ ssh example.com "$(quote-argv-left -dashtest 'file with spaces')"
-dashtest
file with spaces