ssh percent-escaping misses some corner cases
the @translate_ssh_variables()@ bash function (and a new bit added by Jamie McClelland in @monkeysphere-monitor-keys@ replaces the first instance of @%h@ with the user's homedir and the first instance of @%u@ with the user's name.
This misses a couple of cases that OpenSSH itself usually handles:
- if the admin wants a literal @%@, they are supposed to pass @%%@. we don't de-escape that sequence. consequently, an admin who perversely wants to target a file named (for example) @whatever%umbrella@ has no way of encoding that.
- since we're only replacing the first match for each substitution, an admin cannot include the same substitution twice. For example, if they want the user's name to appear twice in the path.
- we're doing the substitutions in order instead of in a single go. so if, for example, a user's name happens to have @%h@ in it, that will get expanded into the user's home directory.
These are all bizarre corner cases (or they seem that way to me) and i don't really see a way to exploit them, so i'm setting the Priority to Low here. But i wanted to note the problem in case anyone wants to take a crack at fixing them.
(from redmine: created on 2010-12-21)
Edited by John Scott