
Remote code execution when cloning a malicious Git, Mercurial or SVN repository - avar
https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/T/#u
======
wahern

      A "ssh://..." URL can result in a "ssh" command line with a
      hostname that begins with a dash "-", which would cause the 
      "ssh" command to instead (mis)treat it as an option. This is 
      now prevented by forbidding such a hostname (which should
      not impact any real-world usage).
    

Why not simply use "\--", which is the standard way to separate option from
non-option arguments? OpenSSH uses getopt(3) and so fully supports this
behavior, as should any other correctly written utility. At the very least,
"\--" should be used in addition to hostname filters.

~~~
avar
Not all SSH implementations use this convention. Git would need to start
detecting if your ssh is openssh.

