keyboard-interactive duplicates & signs and adds > sign

[janoszen]

When an SSH server issues a keyboard-interactive authentication to the client and the "instruction" field contains an & (and) sign (e.g. in an URL) the and sign is duplicated. Furthermore, it adds a > sign after a certain length.

Filezilla:

| Please visit the following link to authenticate: | https://github.com/login/oauth/authorize?client_id=063fe6a5dd3849276f35&&login > =janoszen&&response_type=code&&state=73aaa57b018e4119a381da7b5a0fc06e 
| Please enter the code received:

OpenSSH:

Welcome to ContainerSSH!
Please visit the following link to authenticate:
https://github.com/login/oauth/authorize?client_id=063fe6a5dd3849276f35&login=janoszen&response_type=code&state=b7d0a882dae24d32b000993522b80dbf

Please enter the code received:

Please remove extra formatting from the challenge so links can be properly utilized.

Context: I'm the author of ContainerSSH and we are implementing OAuth2 authentication for SSH. The binaries for this feature are not released yet, but I'm happy to provide a testing server if needed.

[janoszen]

Screenshot

[Tim Kosse]

Two security measures at work here, slightly misplaced.

Ampersand doubling is from escaping them for labels so that they do not become mnemonics. The challenge isn't displayed in a label though. Will remove uneeded escapement.

SFTP support in FileZilla is based on PuTTY's psftp. The line length limiting comes from PuTTY which expects psftp to run in a console window. With the GUI in mind, I'll tweak the length limits.

Please try tomorrow's nightly build.

[janoszen]

Awesome, I'll test it. The issue is also present in PuTTY, I submitted it to them too but have not yet received a response.

[janoszen]

Thank you, the nightly indeed fixes this issue. However, we found another bug filed as #12422