On Fri, 2017-08-11 at 10:07 +1000, Adam Eijdenberg wrote: > I came across this commit to Git today: > https://github.com/git/git/commit/820d7650cc670d3e4195aad3a5343158c31 > 6e8fa > > which is part of a mitigation for a security bug they've found > whereby > they are constructing a "ssh" command based on user input, and are > able to trick SSH into processing what should be a hostname as an > option instead, if the user manages to trick give a hostname that > begins with "-". > > It struck me that while ssh has options such as "-p" that allow > explicit specification of a port, and "-l" for the login name, I > don't > see an equivalent to specify the host explicitly - rather it's parsed > from the first positional argument. There is always option to pass it to the argument of HostName option. But you will still have to use some bogus hostname for positional argument anyway. For example ssh -oHostName="example.com" bogus It is not nice, but it should do the job for such cases and avoid parsing it as a different argument. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev