Comment by blueflow
6 days ago
The interpolation is not the security problem, the problem is the user not quoting their data.
It's similar to curl CWE-93[1], where it was documented and in-use behavior and consequently was rejected as a security problem.
Example for ssh:
ssh host ls "$(quote "$dir")"
No, the problem is that even if you quote your data, ssh unquotes it, so you have to quote it twice.
> ssh unquotes it
ssh does not unquote. Its the local shell, if you are invoking ssh via execv, this does not apply.
So instead of unquoting your data itself, ssh invokes another program to unquote it. That's a distinction without a difference.
6 replies →
And yet it keeps happening. An engineering field grows up when people stop assigning blame, and start searching for solutions.
I just posted one way how to do it correctly.
And research (aka: consulting the manpage) is an essential part of engineering. Doing that would also solve the problem.