From 572646d53070947566ef951c4e8defa5d716663f Mon Sep 17 00:00:00 2001 From: djm Date: Thu, 2 Apr 2026 07:50:55 +0000 Subject: [PATCH] move username validity check for usernames specified on the commandline to earlier in main(), specifically before some contexts where a username with shell characters might be expanded by a %u directive in ssh_config. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We continue to recommend against using untrusted input on the SSH commandline. Mitigations like this are not 100% guarantees of safety because we can't control every combination of user shell and configuration where they are used. Reported by Florian Kohnhäuser --- usr.bin/ssh/ssh.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr.bin/ssh/ssh.c b/usr.bin/ssh/ssh.c index 032eec98e12..8a2dbf8c89e 100644 --- a/usr.bin/ssh/ssh.c +++ b/usr.bin/ssh/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.629 2026/03/30 07:18:24 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.630 2026/04/02 07:50:55 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1113,8 +1113,15 @@ main(int ac, char **av) if (!host) usage(); + /* + * Validate commandline-specified values that end up in %tokens + * before they are used in config parsing. + */ + if (options.user != NULL && !ssh_valid_ruser(options.user)) + fatal("remote username contains invalid characters"); if (!ssh_valid_hostname(host)) fatal("hostname contains invalid characters"); + options.host_arg = xstrdup(host); /* Initialize the command to execute on remote host. */