From 3b8bccc874dc4ca2c80c956cad65722abb46f0b9 Mon Sep 17 00:00:00 2001
From: Cyril Servant <cyril.servant@gmail.com>
Date: Tue, 14 May 2024 16:02:46 +0200
Subject: [PATCH] Prevent ssh option injection

---
 cmd/sshproxy/sshproxy.go     | 4 ++--
 test/centos-image/Dockerfile | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/cmd/sshproxy/sshproxy.go b/cmd/sshproxy/sshproxy.go
index 0a61aa6..1729986 100644
--- a/cmd/sshproxy/sshproxy.go
+++ b/cmd/sshproxy/sshproxy.go
@@ -474,7 +474,7 @@ func mainExitCode() int {
 			if doCmd == fromCmd {
 				log.Debugf("translateCmdConf = %+v", translateCmdConf)
 				sshArgs = append(sshArgs, translateCmdConf.SSHArgs...)
-				sshArgs = append(sshArgs, "--", host, translateCmdConf.Command)
+				sshArgs = append(sshArgs, host, "--", translateCmdConf.Command)
 				if config.Dump != "" && translateCmdConf.DisableDump {
 					config.Dump = "etcd"
 				}
@@ -487,7 +487,7 @@ func mainExitCode() int {
 				// Force TTY allocation because the user probably asked for it.
 				sshArgs = append(sshArgs, "-t")
 			}
-			sshArgs = append(sshArgs, host, doCmd)
+			sshArgs = append(sshArgs, host, "--", doCmd)
 		}
 	} else {
 		sshArgs = append(sshArgs, host)
diff --git a/test/centos-image/Dockerfile b/test/centos-image/Dockerfile
index d80e51d..c0a0d5e 100644
--- a/test/centos-image/Dockerfile
+++ b/test/centos-image/Dockerfile
@@ -1,4 +1,4 @@
-FROM fedora:latest
+FROM fedora:39
 
 # Install development environment to compile RPM
 RUN set -ex \