openssh bugs - Nov 2022 - [Bug 3502] New: Include directives are processed regardless of the parent Match result

https://bugzilla.mindrot.org/show_bug.cgi?id=3502

            Bug ID: 3502
           Summary: Include directives are processed regardless of the
                    parent Match result
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: ARM64
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: alinmesser at hotmail.com

When adding Include directives within Match blocks they are carried out
regardless of whether the match is successful or not.

Sample ~/.ssh/config:
# Host *
#    SendEnv LANG LC_*
#    StrictHostKeyChecking no
#    UserKnownHostsFile /dev/null
#    LogLevel=ERROR
#    AddressFamily inet
#    ServerAliveInterval 100
#    CheckHostIP no
#    User root
#
# Match all

Match localuser myuser exec "[ true = false ]"
    Include file1
Match localuser !myuser exec "[ true = false ]"
    Include file2
...

Steps to reproduce:
myuser at thishost $ ssh -vvv myhost
OpenSSH_9.1p1, OpenSSL 1.1.1s  1 Nov 2022
debug1: Reading configuration data /Users/myuser/.ssh/config
debug2: checking match for 'localuser myuser exec "[ true = false
]"'
host myhost originally myhost
debug3: /Users/myuser/.ssh/config line 13: matched 'localuser
"myuser"'
debug1: Executing command: '[ true = false ]'
debug3: command returned status 1
debug3: /Users/myuser/.ssh/config line 13: not matched 'exec "[ true
false ]"'
debug2: match not found
debug3: /Users/myuser/.ssh/config line 14: Including file
/Users/myuser/.ssh/file1 depth 0 (parse only)
debug2: checking match for 'localuser !myuser exec "[ true = false
]"'
host myhost originally myhost
debug3: /Users/myuser/.ssh/config line 15: not matched 'localuser
"myuser"'
debug3: /Users/myuser/.ssh/config line 15: skipped exec "[ true = false
]"
debug2: match not found
debug3: /Users/myuser/.ssh/config line 16: Including file
/Users/myuser/.ssh/file2 depth 0 (parse only)
...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3502

Alin <alinmesser at hotmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alinmesser at hotmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3502

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Yes, this is completely intentional. Include directives are processed
for all blocks to catch syntax errors.

However, directives in files included from non-matching blocks do not
modify the configuration. This is why
> debug3: /Users/myuser/.ssh/config line 14: Including file
/Users/myuser/.ssh/file1 depth 0 (parse only)
says "parse only" at the end of the line.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3502

--- Comment #2 from Alin <alinmesser at hotmail.com> ---
Thank you for the clarification, and I apologize for not diving deeper
into the log.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3502

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.