I came across this commit to Git today: https://github.com/git/git/commit/820d7650cc670d3e4195aad3a5343158c316e8fa which is part of a mitigation for a security bug they've found whereby they are constructing a "ssh" command based on user input, and are able to trick SSH into processing what should be a hostname as an option instead, if the user manages to trick give a hostname that begins with "-". It struck me that while ssh has options such as "-p" that allow explicit specification of a port, and "-l" for the login name, I don't see an equivalent to specify the host explicitly - rather it's parsed from the first positional argument. Has there been discussion as to whether it would be worthwhile adding such a flag so that a host (to connect to) could be passed more explicitly to ssh? (would need some thinking about how that would interact with the other positional arguments...) (I must admit I haven't studied the rest of the Git bug - before I read their commit my assumption was that this was a more typical string concatenation induced security bug. Once I read that commit I found this particular pattern of bug quite interesting, as they do in fact appear to be passing an array of arguments to SSH, they just don't have any way to explicitly call an argument a hostname) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
