Given the URL in a web browser: "ssh://user@somehost.%60id%3E%2Ftmp%2Fwhoami%60.example.com" iTerm2 currently launches ssh with a hostname of: somehost.`id>/tmp/whoami`.example.com With a vanilla SSH configuration this is ok since SSH errors out with "host not found." However, with a special SSH configuration, a website can execute an arbitrary command: ``` Host * ProxyCommand connect_to %r %h ``` What happened: `id>/tmp/whoami` was executed. What should have happened instead: 1) SSH passes %r/%h as an argument to the ProxyCommand without shell interpolation 2) %h should be validated to adhere to valid punycode 3) Introduce a SafeProxyCommand that only allows safe characters in %r/%h/etc...
ProxyCommand is explicitly documented as executing its commands via the user's shell, and you've elected to use a ProxyCommand with no quoting. E.g. 'ProxyCommand=connect_to "%r" "%h"' would have been sufficient to avoid this. If you're going to plumb random string from potentially-adversarial sources like a browser then you need to understand the contexts in which they are going to end up used. Since ssh(1) doesn't handler ssh:// URLs itself, you're already doing processing somewhere. That would be the place for this sort of santisation.
closing resolved bugs as of 8.6p1 release