The ssh documentation (man pages) uses "the user's shell" with different meanings. For sshd, it is IMHO clear that "the user's shell" refers to the shell specified in /etc/passwd (if there's another way to specify it, this should be described). For the local side (for LocalCommand and ProxyCommand), the ssh_config man page should say that it uses $SHELL if any (else the shell from /etc/passwd?) and that it assumes that $SHELL uses an absolute pathname. Moreover SHELL should be listed in the ENVIRONMENT section of the ssh(1) man page.
Note: this follows the wontfix of bug 1494.
Given the URL in a web browser: "ssh://user@somehost.%60id%3E%2Ftmp%2Fwhoami%60.example.com" iTerm2 currently launches ssh with a hostname of: somehost.`id>/tmp/whoami`.example.com With a vanilla SSH configuration this is ok since SSH errors out with "host not found." However, with a special SSH configuration, a website can execute an arbitrary command: ``` Host * ProxyCommand connect_to %r %h ``` What happened: `id>/tmp/whoami` was executed. What should have happened instead: 1) SSH passes %r/%h as an argument to the ProxyCommand without shell interpolation 2) %h should be validated to adhere to valid punycode 3) Introduce a SafeProxyCommand that only allows safe characters in %r/%h/etc...
re comment #1: I don't think this needs documentation, since it's a) pretty standard behaviour for user programs to use $SHELL where available (e.g. in ssh). BTW, the ENVIRONMENT section is for variables that are set when logging in, not variables that ssh uses internally so even if we did document it re comment #3: ITerm2 is clearly doing the wrong thing here. If it's passing stuff from an untrusted source (e.g. the web) to a shell program, then it's ITerm2's job to ensure that it's appropriately sanitised first.
(In reply to Damien Miller from comment #3) > re comment #1: I don't think this needs documentation, since it's a) > pretty standard behaviour for user programs to use $SHELL where > available (e.g. in ssh). It's not a standard behavior: many programs use system(), e.g. mailcap. However, their documentation doesn't say "the user's shell" in such a case. So perhaps "the user's shell" implies the use of $SHELL if set. This is still a bit confusing. For instance, ksh93 sets $SHELL to /bin/sh if it is not already set (!!!), and this is definitely not the user's shell. It's still not clear about the absolute pathname. Note that POSIX just uses the term "pathname" for both $SHELL and $0, while in $0, the pathname may be relative (in which case, resolved using $PATH). I've just raised an issue in the Austin Group mailing-list, hoping that this will be clarified in POSIX. > BTW, the ENVIRONMENT section is for variables that are set when > logging in, not variables that ssh uses internally so even if we > did document it Yes, but if needed, there could be 2 parts under this section.
(In reply to Vincent Lefevre from comment #4) > It's still not clear about the absolute pathname. Note that POSIX > just uses the term "pathname" for both $SHELL and $0, while in $0, > the pathname may be relative (in which case, resolved using $PATH). > I've just raised an issue in the Austin Group mailing-list, hoping > that this will be clarified in POSIX. The only answer I got is that "what constitutes a valid value for a platform should be documented". So, I've requested a more detailed documentation in the environ(7) man page: https://bugzilla.kernel.org/show_bug.cgi?id=196513
Close all resolved bugs after release of OpenSSH 7.7.