Cockpit-ws Security Flaw: Hostnames Starting with '-' Could Bypass CLI Safeguards

A long-standing, unaddressed vulnerability in the `cockpit-ws` component allows hostnames beginning with a hyphen (`-`) to be incorrectly interpreted as command-line options, potentially bypassing intended security boundaries. This flaw exposes the authentication commands (`cockpit-session`, `cockpit-ssh`, `cockpit.beiboot`) to argument injection risks, where a maliciously crafted hostname could manipulate command execution.

The core issue stems from `cockpit-ws`'s failure to sanitize hostnames before passing them to downstream auth processes. While a shift to using `cockpit-session` via a Unix socket mitigated exposure for that specific command, a subsequent migration from `cockpit-ssh` to `cockpit.beiboot` introduced a new vector. The Python `argparse` module used by `cockpit.beiboot` contains a documented bug (CPython issue #66623) with a strange parsing heuristic: arguments starting with '-' can be interpreted as positional arguments if they contain spaces. This creates a pathway where a hostname starting with `-` could be passed to SSH, which would then interpret it as an option, causing the following argument (the intended remote Python invocation) to be misread as the hostname.

Although newer SSH versions may reject such malformed hostnames, the underlying code in `cockpit-ws` remains insufficiently hardened. The exposure highlights a persistent gap in input validation within critical authentication pathways. The proposed fix involves explicitly adding `--` to the command invocations to firmly separate options from arguments, a standard practice for preventing this class of injection attacks. This flaw underscores the security risks that can emerge from layered architectural changes and parser idiosyncrasies in system tooling.