ssh-host-config eval password bug

Christopher Faylor cgf-use-the-mailinglist-please@cygwin.com
Mon Jul 6 00:44:00 GMT 2009


On Sun, Jul 05, 2009 at 03:50:02PM -0600, Eric Blake wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>According to Ian Kelling on 7/5/2009 12:06 PM:
>> In the ssh package there is a bug in /usr/bin/ssh-host-config where if
>> you select a valid password spaces or punctuation that bash knows of, it
>> will fail and you could possibly shoot yourself in the foot due to
>> evaling your password. I don't know who is responsible, or what mailing
>> list to post on, but here is a patch.
>
>This is the right list.
>
>> -      cygwin_env="-e CYGWIN=\"${csih_cygenv}\""
>> +      cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
>
>I don't see why you need an array variable.
>
>>      fi
>>      if [ -z "${password}" ]
>>      then
>> -      if eval cygrunsrv -I sshd -d \"CYGWIN sshd\" -p /usr/sbin/sshd \
>> -                -a "-D" -y tcpip ${cygwin_env}
>> +      if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
>> +                -a "-D" -y tcpip "${cygwin_env[@]}"
>
>The eval is still reasonable, but with proper quoting:
>
>if eval cygrunsrv ... -y tcpip "${cygwin_env}"

How is eval better than an array environment variable?  The above use of
"${cygwin_env[@]}" seems to do exactly what you'd want without worrying
about the additional gotchas from an eval.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list