CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/04/02 01:50:55
Modified files:
usr.bin/ssh : ssh.c
Log message:
move username validity check for usernames specified on the
commandline to earlier in main(), specifically before some
contexts where a username with shell characters might be
expanded by a %u directive in ssh_config.
We continue to recommend against using untrusted input on
the SSH commandline. Mitigations like this are not 100%
guarantees of safety because we can't control every
combination of user shell and configuration where they are
used.
Reported by Florian Kohnhäuser
