chubot 1 day ago

I think you missed the original point, which is that joining argv is equivalent to

    sh -c "$1 $2 $3 $4 ..."
This is a form of shell injection, just like

    sh -c "ls $dir"
because there's interpolation WITHOUT escaping.

That should be:

    dir=$(escape "$dir")
    sh -c "ls $dir"
Or simply

    ls "$dir"
It's not my preconception -- it's a security problem.

It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem.

1
blueflow 1 day ago

The interpolation is not the security problem, the problem is the user not quoting their data.

It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.

Example for ssh:

  ssh host ls "$(quote "$dir")"
[1] https://hackerone.com/reports/3133379

2 replies
Filligree 19 hours ago

And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions.

1 reply
blueflow 14 hours ago

I just posted one way how to do it correctly.

And research (aka: consulting the manpage) is an essential part of engineering. Doing that would also solve the problem.

immibis 14 hours ago

No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice.

1 reply
blueflow 14 hours ago

> ssh unquotes it

ssh does not unquote. Its the local shell, if you are invoking ssh via execv, this does not apply.

1 reply
immibis 11 hours ago

So instead of unquoting your data itself, ssh invokes another program to unquote it. That's a distinction without a difference.

1 reply
blueflow 11 hours ago

No, ssh is called by the local shell. ssh never gets to see the quoted value that you typed in your shell. This mechanism is unrelated to ssh, at all:

  $ printf "%s\n" "asdf"
  asdf
You see the double quotes go missing.

This happens as part of the shell turning the command string into argument vectors to pass to execv().

1 reply
immibis 35 minutes ago

When I run:

ssh foo@bar "echo 'hello world'"

ssh chooses to unquote the string: echo 'hello world'

splitting it into two parts (echo, and hello world), and then running the program echo with the argument hello world.

The fact it does this via a separate program is irrelevant.

1 reply
blueflow 5 minutes ago

> ssh chooses to unquote the string > splitting it into two parts

wrong, ssh does no argument splitting

> then running the program echo

wrong, it passes the string to the users login shell, whatever program that is. See sshd(8).

> The fact it does this via a separate program is irrelevant

just gently caress yourself.