diff options
author | djm@openbsd.org <djm@openbsd.org> | 2016-03-10 11:47:57 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2016-03-15 03:23:46 +1100 |
commit | 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 (patch) | |
tree | d8dc2012cb7e5918e8da5d8e27ab0764145af63d /session.c | |
parent | 732b463d37221722b1206f43aa59563766a6a968 (diff) |
upstream commit
sanitise characters destined for xauth reported by
github.com/tintinweb feedback and ok deraadt and markus
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 34 |
1 files changed, 31 insertions, 3 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.281 2016/03/07 19:02:43 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.282 2016/03/10 11:47:57 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -46,6 +46,7 @@ | |||
46 | 46 | ||
47 | #include <arpa/inet.h> | 47 | #include <arpa/inet.h> |
48 | 48 | ||
49 | #include <ctype.h> | ||
49 | #include <errno.h> | 50 | #include <errno.h> |
50 | #include <fcntl.h> | 51 | #include <fcntl.h> |
51 | #include <grp.h> | 52 | #include <grp.h> |
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt) | |||
274 | do_cleanup(authctxt); | 275 | do_cleanup(authctxt); |
275 | } | 276 | } |
276 | 277 | ||
278 | /* Check untrusted xauth strings for metacharacters */ | ||
279 | static int | ||
280 | xauth_valid_string(const char *s) | ||
281 | { | ||
282 | size_t i; | ||
283 | |||
284 | for (i = 0; s[i] != '\0'; i++) { | ||
285 | if (!isalnum((u_char)s[i]) && | ||
286 | s[i] != '.' && s[i] != ':' && s[i] != '/' && | ||
287 | s[i] != '-' && s[i] != '_') | ||
288 | return 0; | ||
289 | } | ||
290 | return 1; | ||
291 | } | ||
292 | |||
277 | /* | 293 | /* |
278 | * Prepares for an interactive session. This is called after the user has | 294 | * Prepares for an interactive session. This is called after the user has |
279 | * been successfully authenticated. During this message exchange, pseudo | 295 | * been successfully authenticated. During this message exchange, pseudo |
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt) | |||
347 | s->screen = 0; | 363 | s->screen = 0; |
348 | } | 364 | } |
349 | packet_check_eom(); | 365 | packet_check_eom(); |
350 | success = session_setup_x11fwd(s); | 366 | if (xauth_valid_string(s->auth_proto) && |
367 | xauth_valid_string(s->auth_data)) | ||
368 | success = session_setup_x11fwd(s); | ||
369 | else { | ||
370 | success = 0; | ||
371 | error("Invalid X11 forwarding data"); | ||
372 | } | ||
351 | if (!success) { | 373 | if (!success) { |
352 | free(s->auth_proto); | 374 | free(s->auth_proto); |
353 | free(s->auth_data); | 375 | free(s->auth_data); |
@@ -2184,7 +2206,13 @@ session_x11_req(Session *s) | |||
2184 | s->screen = packet_get_int(); | 2206 | s->screen = packet_get_int(); |
2185 | packet_check_eom(); | 2207 | packet_check_eom(); |
2186 | 2208 | ||
2187 | success = session_setup_x11fwd(s); | 2209 | if (xauth_valid_string(s->auth_proto) && |
2210 | xauth_valid_string(s->auth_data)) | ||
2211 | success = session_setup_x11fwd(s); | ||
2212 | else { | ||
2213 | success = 0; | ||
2214 | error("Invalid X11 forwarding data"); | ||
2215 | } | ||
2188 | if (!success) { | 2216 | if (!success) { |
2189 | free(s->auth_proto); | 2217 | free(s->auth_proto); |
2190 | free(s->auth_data); | 2218 | free(s->auth_data); |