Hi, It's fine not to implement bundling in dropbear's option parsing function (svr-runopts.c's svr_getopts), but it should at least croak if argv[i][2] != '\0'. For instance
dropbear -rdropbear.key -p127.0.0.1:2222 -sjk
should either fail, or be parsed as
dropbear -r dropbear.key -p 127.0.0.1:2222 -s -j -k
if bundling is allowed.
This might have security implications, as the current parsing mechanism
might make a user think that passing ‘-sjk’ disables port forwarding,
which is not the case (the trailing ‘jk’ is ignored).
Cheers,
--
Guilhem.
signature.asc
Description: PGP signature
