From: djm@openbsd.org Date: Wed, 4 Oct 2023 04:03:50 +0000 (+0000) Subject: upstream: add some cautionary text about % token expansion and X-Git-Tag: V_9_5_P1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ffe27e54a4bb18d5d3bbd3f4cc93a41b8d94dfd2;p=thirdparty%2Fopenssh-portable.git upstream: add some cautionary text about % token expansion and shell metacharacters; based on report from vinci AT protonmail.ch OpenBSD-Commit-ID: aa1450a54fcee2f153ef70368d90edb1e7019113 --- diff --git a/ssh_config.5 b/ssh_config.5 index 7f64c2cf9..367305d2c 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.386 2023/08/28 09:52:09 djm Exp $ -.Dd $Mdocdate: August 28 2023 $ +.\" $OpenBSD: ssh_config.5,v 1.387 2023/10/04 04:03:50 djm Exp $ +.Dd $Mdocdate: October 4 2023 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -2206,6 +2206,16 @@ accepts all tokens. and .Cm ProxyJump accept the tokens %%, %h, %n, %p, and %r. +.Pp +Note that some of these directives build commands for execution via the shell. +Because +.Xr ssh 1 +performs no filtering or escaping of characters that have special meaning in +shell commands (e.g. quotes), it is the user's reposibility to ensure that +the arguments passed to +.Xr ssh 1 +do not contain such characters and that tokens are appropriately quoted +when used. .Sh ENVIRONMENT VARIABLES Arguments to some keywords can be expanded at runtime from environment variables on the client by enclosing them in