From abd8f9deca7bfd32337bd2a2f725647dd8a49a5e Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Thu, 28 Mar 2024 09:36:59 +0100
Subject: mdbp-ssh: prevent shell expansion of forwarded arguments

ssh runs the command through a shell, so we better quote stuff.
---
 mdbp/ssh.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'mdbp/ssh.py')

diff --git a/mdbp/ssh.py b/mdbp/ssh.py
index 9e9ed8c..4572a6f 100644
--- a/mdbp/ssh.py
+++ b/mdbp/ssh.py
@@ -9,6 +9,7 @@ import json
 import pathlib
 import random
 import re
+import shlex
 import subprocess
 import sys
 import tarfile
@@ -116,7 +117,9 @@ def main() -> None:
             map(repoforward.proxy, build["extrarepositories"])
         )
         cmd.extend(repoforward.ssh_options())
-    cmd.extend([args.host, "mdbp-streamapi", *args.command])
+    cmd.append(args.host)
+    cmd.append("mdbp-streamapi")
+    cmd.extend(map(shlex.quote, args.command))
     with contextlib.ExitStack() as stack:
         proc = stack.enter_context(
             subprocess.Popen(
-- 
cgit v1.2.3