top | item 38759741

(no title)

Funnnny | 2 years ago

> but honestly it's not far off that level of “well, duh”

I think the real problem is that other apps do use ssh and malicious actors can inject untrusted input without the user's consent.

The git POC is one example, and while I do think that git also needs to be updated, fixing the problem on the ssh side is also a good idea

discuss

cwillu|2 years ago

The OpenSSH fix isn't a fix though, it depends on ssh knowing what badness needs to be filtered out, but the shell is set by the user.

It needs to be changed to pass data in a way that doesn't require escaping to reference, such as an environment variable: "$HOST" would then be expanded by the shell, and all the usual rules for safely using environment variables would apply, because ssh wouldn't be the thing performing the variable expansion like it is now.

(For most purposes, my original take in the top level was wrong, but it's too late to edit it now)

vin10|2 years ago

OP here. Another interesting attack vector I have been working on is OSC 8 for hyperlink support in terminals. Mostly they allow arbitrary url schemes including "ssh://" without any prompt or user interaction to consent to open an external tool like ssh client in this case.

A good discussion on this: https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3c...

unknown|2 years ago

[deleted]