Bug#1118288: openssh-client: ssh-agent does not handle paths with spaces

[Colin Watson <cjwatson@debian.org>]

On Mon, Oct 20, 2025 at 08:27:40PM +0200, Beat Bolli wrote:
> Package: openssh-client
> Version: 1:10.0p1-8
> Followup-For: Bug #1118288
>
> Tag: patch
>
> Dear Maintainer,
>
> Here's a patch that fixes this bug.

Would you consider forwarding this bug upstream (bugzilla.mindrot.org) 
rather than leaving me to forward it?  For any one patch it's not too 
much work, but I can't deal with everything.

> -			    "setenv %s %s;\n" : "%s=%s; export %s;\n";
> +			    "setenv %s '%s';\n" : "%s='%s'; export %s;\n";

This is definitely incorrect.  Consider what would happen if the 
directory name had a single quote in it, which is just as legal as it 
having a space.

In general, you need to do proper escaping for the kind of shell you 
expect to be consuming the input.  In this particular case, you need to 
be extra-careful, because ssh-agent can produce commands for either the 
C shell or the Bourne shell, and those two families of shell have 
different syntax.  For the Bourne shell, you need the sort of algorithm 
found in Python's shlex.quote function (or an equivalent variant).  I'm 
not familiar with the C shell so I can't speak to what would be needed 
there.

--
Colin Watson (he/him)                              [cjwatson@debian.org]