summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-02-11 08:18:17 +1100
committerDamien Miller <djm@mindrot.org>2012-02-11 08:18:17 +1100
commit8d60be548778c025db8daa0345f8d77331086fc6 (patch)
treecdcf6eaa96eabfb9007bcc9d34194b82a6d286a2
parentfb12c6d8bb6515512c3cd00dfcb2670a6c54ba49 (diff)
- dtucker@cvs.openbsd.org 2012/01/18 21:46:43
[clientloop.c] Ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
-rw-r--r--ChangeLog5
-rw-r--r--clientloop.c22
2 files changed, 26 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 3ebe0df30..8eebcaffb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,11 @@
15 Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow. 15 Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow.
16 While there, be sure to buffer_clear() between send_msg() and recv_msg(). 16 While there, be sure to buffer_clear() between send_msg() and recv_msg().
17 ok markus@ 17 ok markus@
18 - dtucker@cvs.openbsd.org 2012/01/18 21:46:43
19 [clientloop.c]
20 Ensure that $DISPLAY contains only valid characters before using it to
21 extract xauth data so that it can't be used to play local shell
22 metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
18 23
1920120206 2420120206
20 - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms 25 - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms
diff --git a/clientloop.c b/clientloop.c
index 1339521f4..f69a9b025 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.237 2011/09/10 22:26:34 markus Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -281,6 +281,23 @@ set_control_persist_exit_time(void)
281 /* else we are already counting down to the timeout */ 281 /* else we are already counting down to the timeout */
282} 282}
283 283
284#define SSH_X11_VALID_DISPLAY_CHARS ":/.-_"
285static int
286client_x11_display_valid(const char *display)
287{
288 size_t i, dlen;
289
290 dlen = strlen(display);
291 for (i = 0; i < dlen; i++) {
292 if (!isalnum(display[i]) &&
293 strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) {
294 debug("Invalid character '%c' in DISPLAY", display[i]);
295 return 0;
296 }
297 }
298 return 1;
299}
300
284#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" 301#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
285void 302void
286client_x11_get_proto(const char *display, const char *xauth_path, 303client_x11_get_proto(const char *display, const char *xauth_path,
@@ -303,6 +320,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
303 320
304 if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { 321 if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
305 debug("No xauth program."); 322 debug("No xauth program.");
323 } else if (!client_x11_display_valid(display)) {
324 logit("DISPLAY '%s' invalid, falling back to fake xauth data",
325 display);
306 } else { 326 } else {
307 if (display == NULL) { 327 if (display == NULL) {
308 debug("x11_get_proto: DISPLAY not set"); 328 debug("x11_get_proto: DISPLAY not set");