The interpolation is not the security problem, the problem is the user not quoting their data.
It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.
Example for ssh:
ssh host ls "$(quote "$dir")"
And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions.
I just posted one way how to do it correctly.
And research (aka: consulting the manpage) is an essential part of engineering. Doing that would also solve the problem.
No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice.
> ssh unquotes it
ssh does not unquote. Its the local shell, if you are invoking ssh via execv, this does not apply.
So instead of unquoting your data itself, ssh invokes another program to unquote it. That's a distinction without a difference.
No, ssh is called by the local shell. ssh never gets to see the quoted value that you typed in your shell. This mechanism is unrelated to ssh, at all:
$ printf "%s\n" "asdf"
asdf
This happens as part of the shell turning the command string into argument vectors to pass to execv().
When I run:
ssh foo@bar "echo 'hello world'"
ssh chooses to unquote the string: echo 'hello world'
splitting it into two parts (echo, and hello world), and then running the program echo with the argument hello world.
The fact it does this via a separate program is irrelevant.
> ssh chooses to unquote the string > splitting it into two parts
wrong, ssh does no argument splitting
> then running the program echo
wrong, it passes the string to the users login shell, whatever program that is. See sshd(8).
> The fact it does this via a separate program is irrelevant
just gently caress yourself.
the fact that ssh chooses to invoke another program to split arguments instead of splitting arguments itself is a distinction without a difference.