Skip to content

reject hostname option injection via bracketed mount source#362

Merged
h4sh5 merged 1 commit into
libfuse:masterfrom
abhinavagarwal07:advisory-fix-1
May 29, 2026
Merged

reject hostname option injection via bracketed mount source#362
h4sh5 merged 1 commit into
libfuse:masterfrom
abhinavagarwal07:advisory-fix-1

Conversation

@abhinavagarwal07
Copy link
Copy Markdown
Collaborator

@abhinavagarwal07 abhinavagarwal07 commented May 29, 2026

A source like [-oProxyCommand=CMD]:/path passes the bracket-parsing check in find_base_path() and ends up as -oProxyCommand=CMD in the ssh argv. When sftp_server is a path, ssh gets a destination argument and executes the injected ProxyCommand before connecting.

Reject hostnames starting with - after bracket stripping, and add -- before the hostname in the ssh command line so positional args can't be misread as options.

@abhinavagarwal07
reject hostname option injection via bracketed mount source
29bb565 
A source like [-oProxyCommand=CMD]:/path passes the bracket-parsing
check in find_base_path() and ends up as -oProxyCommand=CMD in the
ssh argv.  When sftp_server is a path, ssh gets a destination argument
and executes the injected ProxyCommand before connecting.

Reject hostnames starting with - after bracket stripping, and add --
before the hostname in the ssh command line so positional args can't
be misread as options.
@abhinavagarwal07 abhinavagarwal07 requested a review from h4sh5 May 29, 2026 23:10
@h4sh5 h4sh5 merged commit 6678acc into libfuse:master May 29, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@h4sh5 h4sh5 h4sh5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abhinavagarwal07 @h4sh5