diff options
author | Damien Miller <djm@mindrot.org> | 2012-02-11 08:18:17 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2012-02-11 08:18:17 +1100 |
commit | 8d60be548778c025db8daa0345f8d77331086fc6 (patch) | |
tree | cdcf6eaa96eabfb9007bcc9d34194b82a6d286a2 | |
parent | fb12c6d8bb6515512c3cd00dfcb2670a6c54ba49 (diff) |
- dtucker@cvs.openbsd.org 2012/01/18 21:46:43
[clientloop.c]
Ensure that $DISPLAY contains only valid characters before using it to
extract xauth data so that it can't be used to play local shell
metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | clientloop.c | 22 |
2 files changed, 26 insertions, 1 deletions
@@ -15,6 +15,11 @@ | |||
15 | Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow. | 15 | Fix a memory leak in pkcs11_rsa_private_encrypt(), reported by Jan Klemkow. |
16 | While there, be sure to buffer_clear() between send_msg() and recv_msg(). | 16 | While there, be sure to buffer_clear() between send_msg() and recv_msg(). |
17 | ok markus@ | 17 | ok markus@ |
18 | - dtucker@cvs.openbsd.org 2012/01/18 21:46:43 | ||
19 | [clientloop.c] | ||
20 | Ensure that $DISPLAY contains only valid characters before using it to | ||
21 | extract xauth data so that it can't be used to play local shell | ||
22 | metacharacter games. Report from r00t_ati at ihteam.net, ok markus. | ||
18 | 23 | ||
19 | 20120206 | 24 | 20120206 |
20 | - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms | 25 | - (djm) [ssh-keygen.c] Don't fail in do_gen_all_hostkeys on platforms |
diff --git a/clientloop.c b/clientloop.c index 1339521f4..f69a9b025 100644 --- a/clientloop.c +++ b/clientloop.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: clientloop.c,v 1.237 2011/09/10 22:26:34 markus Exp $ */ | 1 | /* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -281,6 +281,23 @@ set_control_persist_exit_time(void) | |||
281 | /* else we are already counting down to the timeout */ | 281 | /* else we are already counting down to the timeout */ |
282 | } | 282 | } |
283 | 283 | ||
284 | #define SSH_X11_VALID_DISPLAY_CHARS ":/.-_" | ||
285 | static int | ||
286 | client_x11_display_valid(const char *display) | ||
287 | { | ||
288 | size_t i, dlen; | ||
289 | |||
290 | dlen = strlen(display); | ||
291 | for (i = 0; i < dlen; i++) { | ||
292 | if (!isalnum(display[i]) && | ||
293 | strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) { | ||
294 | debug("Invalid character '%c' in DISPLAY", display[i]); | ||
295 | return 0; | ||
296 | } | ||
297 | } | ||
298 | return 1; | ||
299 | } | ||
300 | |||
284 | #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" | 301 | #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" |
285 | void | 302 | void |
286 | client_x11_get_proto(const char *display, const char *xauth_path, | 303 | client_x11_get_proto(const char *display, const char *xauth_path, |
@@ -303,6 +320,9 @@ client_x11_get_proto(const char *display, const char *xauth_path, | |||
303 | 320 | ||
304 | if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { | 321 | if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { |
305 | debug("No xauth program."); | 322 | debug("No xauth program."); |
323 | } else if (!client_x11_display_valid(display)) { | ||
324 | logit("DISPLAY '%s' invalid, falling back to fake xauth data", | ||
325 | display); | ||
306 | } else { | 326 | } else { |
307 | if (display == NULL) { | 327 | if (display == NULL) { |
308 | debug("x11_get_proto: DISPLAY not set"); | 328 | debug("x11_get_proto: DISPLAY not set"); |