mirror of
https://github.com/cockpit-project/cockpit.git
synced 2026-05-06 04:16:43 -04:00
Allison Karlitskaya
9d0695647c
`cockpit-ws` has never protected hostnames from being interpreted as cli
options when passing them to the auth commands (`cockpit-session`,
`cockpit-ssh`, `cockpit.beiboot`). There have been a couple of relevant
changes over the years:
- our move to using cockpit-session via unix socket has removed
exposure to this problem for `cockpit-session`
- our move from `cockpit-ssh` (glib argument parser) to
`cockpit.beiboot` (Python argparse) has unfortunately exposed us to
https://github.com/python/cpython/issues/66623 which means (due to a
strange heuristic) that arguments starting with '-' can be
interpreted as positionals if they also have spaces in them
This gives a way to get a hostname starting with a `-` to ssh (where it
*will* be interpreted as an option) and the following argument (the
python invocation on the remote) will be interpreted as the hostname.
Fortunately, new versions of ssh will reject this hostname. In any
case, we should firm up the code here and add `--` to ensure that it's
definitely interpreted as a hostname by ssh.
For a similar reason add a `--` to the ssh command in `cockpit-ws`.
CVE-2026-4631