On Thu, 5 Sep 2024, Todd C. Miller wrote:

> On Fri, 06 Sep 2024 12:16:25 +1000, Damien Miller wrote:
> 
> > Well, it's still a mess elsewhere in OpenSSH. Maybe we should whack it
> > all in one go?
> >
> > The only problem is that someone, somewhere, somehow will have used '@'
> > in a hostname and this will break them.
> 
> Comments inline.

thanks

> > --- a/misc.c
> > +++ b/misc.c
> > @@ -982,7 +982,7 @@ parse_uri(const char *scheme, const char *uri, char **use
> > rp, char **hostp,
> >  	uridup = tmp = xstrdup(uri);
> >  
> >  	/* Extract optional ssh-info (username + connection params) */
> > -	if ((cp = strchr(tmp, '@')) != NULL) {
> > +	if ((cp = strrchr(tmp, '@')) != NULL) {
> >  		char *delim;
> >  
> >  		*cp = '\0';
> 
> I'm not sure about this one.  Currently, an '@' in a user name just
> needs to be url-encoded.  Isn't that considered "normal" or URIs?

I don't know either; I'll leave this until someone complains but
commit the others with your fix.

-d