From a445b72fcdbb52e2f2ef0b240e41152fa92292f9 Mon Sep 17 00:00:00 2001
From: Eliah Kagan <degeneracypressure@gmail.com>
Date: Sun, 26 Jan 2025 09:12:40 -0500
Subject: [PATCH] fix: Honor `disallow_shell` in SSH client feature check

When running an SSH client, the `disallow_shell` option determines
whether the client command, before arguments, is to be run directly
or if it is to be run by a shell.

(One example of when it is run directly is if it comes from the
`GIT_SSH` environment variable, while one example of when it is run
by a shell is if it comes from the `GIT_SSH_COMMAND` environment
variable.)

When invoking the client in the most central and common case of
actually attempting to connect to a remote server, `disallow_shell`
was already followed. However, in some cases we are not sure what
kind of SSH client program we have, and so to find that out (so we
know how to run it to connect to a server), we run a test command,
to see if it recognizes `-G` as OpenSSH clients do. Often we can
tell what kind of client program we have without needing to do
that. But if we do need to do it, we pre-run the client to check.
In this use, the `disallow_shell` option was not followed, and
instead the use of a shell was unconditionally treated as allowed.

This fixes that by setting `prepare.use_shell = false` on a
constructed `gix_command::Prepare` instance, which seems to be the
prevailing style for achieving this elsewhere in `gix-transport`.
---
 gix-transport/src/client/blocking_io/ssh/mod.rs | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/gix-transport/src/client/blocking_io/ssh/mod.rs b/gix-transport/src/client/blocking_io/ssh/mod.rs
index 21680031712..2b5967dcc48 100644
--- a/gix-transport/src/client/blocking_io/ssh/mod.rs
+++ b/gix-transport/src/client/blocking_io/ssh/mod.rs
@@ -111,8 +111,8 @@ pub fn connect(
     let ssh_cmd = options.ssh_command();
     let mut kind = options.kind.unwrap_or_else(|| ProgramKind::from(ssh_cmd));
     if options.kind.is_none() && kind == ProgramKind::Simple {
-        let mut cmd = std::process::Command::from(
-            gix_command::prepare(ssh_cmd)
+        let mut cmd = std::process::Command::from({
+            let mut prepare = gix_command::prepare(ssh_cmd)
                 .stderr(Stdio::null())
                 .stdout(Stdio::null())
                 .stdin(Stdio::null())
@@ -122,8 +122,12 @@ pub fn connect(
                     Usable(host) => host,
                     Dangerous(host) => Err(Error::AmbiguousHostName { host: host.into() })?,
                     Absent => panic!("BUG: host should always be present in SSH URLs"),
-                }),
-        );
+                });
+            if options.disallow_shell {
+                prepare.use_shell = false;
+            }
+            prepare
+        });
         gix_features::trace::debug!(cmd = ?cmd, "invoking `ssh` for feature check");
         kind = if cmd.status().ok().is_some_and(|status| status.success()) {
             ProgramKind::Ssh