It’s a design mistake because it adds exactly zero functionality. The only thing...

blueflow · 2025-06-11T09:20:17 1749633617

[flagged]

chubot · 2025-06-11T13:57:30 1749650250

I think you missed the original point, which is that joining argv is equivalent to

    sh -c "$1 $2 $3 $4 ..."

This is a form of shell injection, just like

    sh -c "ls $dir"

because there's interpolation WITHOUT escaping.

That should be:

    dir=$(escape "$dir")
    sh -c "ls $dir"

Or simply

    ls "$dir"

It's not my preconception -- it's a security problem.

It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem.

blueflow · 2025-06-11T14:43:57 1749653037

The interpolation is not the security problem, the problem is the user not quoting their data.

It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.

Example for ssh:

  ssh host ls "$(quote "$dir")"

[1] https://hackerone.com/reports/3133379

immibis · 2025-06-12T07:20:29 1749712829

No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice.

blueflow · 2025-06-12T07:57:00 1749715020

> ssh unquotes it

ssh does not unquote. Its the local shell, if you are invoking ssh via execv, this does not apply.

immibis · 2025-06-12T10:46:56 1749725216

So instead of unquoting your data itself, ssh invokes another program to unquote it. That's a distinction without a difference.

blueflow · 2025-06-12T11:03:25 1749726205

No, ssh is called by the local shell. ssh never gets to see the quoted value that you typed in your shell. This mechanism is unrelated to ssh, at all:

  $ printf "%s\n" "asdf"
  asdf

You see the double quotes go missing.

This happens as part of the shell turning the command string into argument vectors to pass to execv().

immibis · 2025-06-12T21:43:33 1749764613

When I run:

ssh foo@bar "echo 'hello world'"

ssh chooses to unquote the string: echo 'hello world'

splitting it into two parts (echo, and hello world), and then running the program echo with the argument hello world.

The fact it does this via a separate program is irrelevant.

blueflow · 2025-06-12T22:13:46 1749766426

> ssh chooses to unquote the string > splitting it into two parts

wrong, ssh does no argument splitting

> then running the program echo

wrong, it passes the string to the users login shell, whatever program that is. See sshd(8).

> The fact it does this via a separate program is irrelevant

just gently caress yourself.

immibis · 2025-06-13T06:47:42 1749797262

the fact that ssh chooses to invoke another program to split arguments instead of splitting arguments itself is a distinction without a difference.

Filligree · 2025-06-12T03:04:03 1749697443

And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions.

blueflow · 2025-06-12T07:50:33 1749714633

I just posted one way how to do it correctly.

And research (aka: consulting the manpage) is an essential part of engineering. Doing that would also solve the problem.