← Back to context

Comment by blueflow

7 days ago

This stubborn attitude to refuse to consult the documentation at all and then expect the tool to work according to your preconceptions.

Tools do have rough edges, if you don't want to learn about them, you will get bitten.

21 comments

blueflow

Reply
nothrabannosir  6 days ago

This statement can be true without contradicting anything anyone said upstream. Otherwise could use it to justify just about any bad design decision.

Yes it’s in the docs. Yes people who carefully read the docs won’t get bitten. Also yes the design could be improved so people don’t make this mistake even without reading the docs.

Both things can be true. We’re currently only talking about the latter, though.

  • blueflow  6 days ago

    > We’re currently only talking about the latter, though.

    I'm surprised, as i started this subthread explicitly to contest that the argv join is "hidden".

chubot  7 days ago

It’s a design mistake because it adds exactly zero functionality.

The only thing it adds is insecurity.

If the feature didn’t exist, then it wouldn’t need to be documented, and the world would be better.

  • blueflow  6 days ago

    [flagged]

    • chubot  6 days ago

      I think you missed the original point, which is that joining argv is equivalent to

          sh -c "$1 $2 $3 $4 ..."

      This is a form of shell injection, just like

          sh -c "ls $dir"

      because there's interpolation WITHOUT escaping.

      That should be:

          dir=$(escape "$dir")
    sh -c "ls $dir"

      Or simply

          ls "$dir"

      It's not my preconception -- it's a security problem.

      It's similar to ShellShock -- you can argue it was documented behavior, but it's still a security problem.

      12 replies →

immibis  5 days ago

This very stubborn attitude to defend a bad design because it's documented.

Bugs can be fixed.

  • blueflow  5 days ago

    It is bad design, but your idea of something does not make anything non-conforming a bug.

pwdisswordfishz  5 days ago

> Tools do have rough edges, if you don't want to learn about them, you will get bitten.

I presume you consider INTERCAL to be a sanely designed programming language.

  • blueflow  5 days ago

    I'm not defending SSH's design, im criticizing peoples unwillingness to learn about the design as it is so they can work around it.

    Edit: The INTERCAL handbook is a great read, and despite being satirical, it is more detailed and qualified than the documentation of some other popular projects.