Comment by blueflow

6 days ago

The interpolation is not the security problem, the problem is the user not quoting their data.

It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.

Example for ssh:

  ssh host ls "$(quote "$dir")"

[1] https://hackerone.com/reports/3133379

11 comments

blueflow

Reply
immibis  5 days ago

No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice.

  • blueflow  5 days ago

    > ssh unquotes it

    ssh does not unquote. Its the local shell, if you are invoking ssh via execv, this does not apply.

Filligree  6 days ago

And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions.

  • blueflow  5 days ago

    I just posted one way how to do it correctly.

    And research (aka: consulting the manpage) is an essential part of engineering. Doing that would also solve the problem.