+ --- ssh.c	2024-03-02 19:08:29.085655690 -0500

+ +++ ssh.c	2024-03-02 19:14:10.889324532 -0500

+ @@ -484,6 +484,41 @@

+  	}

+  }

+  

+ +static int

+ +valid_hostname(const char *s)

+ +{

+ +	size_t i;

+ +

+ +	if (*s == '-')

+ +		return 0;

+ +	for (i = 0; s[i] != 0; i++) {

+ +		if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||

+ +		    isspace((u_char)s[i]) || iscntrl((u_char)s[i]))

+ +			return 0;

+ +	}

+ +	return 1;

+ +}

+ +

+ +static int

+ +valid_ruser(const char *s)

+ +{

+ +	size_t i;

+ +

+ +	if (*s == '-')

+ +		return 0;

+ +	for (i = 0; s[i] != 0; i++) {

+ +		if (strchr("'`\";&<>|(){}", s[i]) != NULL)

+ +			return 0;

+ +		/* Disallow '-' after whitespace */

+ +		if (isspace((u_char)s[i]) && s[i + 1] == '-')

+ +			return 0;

+ +		/* Disallow \ in last position */

+ +		if (s[i] == '\\' && s[i + 1] == '\0')

+ +			return 0;

+ +	}

+ +	return 1;

+ +}

+ +

+  /* Rewrite the port number in an addrinfo list of addresses */

+  static void

+  set_addrinfo_port(struct addrinfo *addrs, int port)

+ @@ -961,6 +996,11 @@

+  	if (!host)

+  		usage();

+  

+ +	if (!valid_hostname(host))

+ +		fatal("hostname contains invalid characters");

+ +	if (options.user != NULL && !valid_ruser(options.user))

+ +		fatal("remote username contains invalid characters");

+ +

+  	host_arg = xstrdup(host);

+  

+  #ifdef WITH_OPENSSL