diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-03-10 11:47:57 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-03-15 03:23:46 +1100 |
| commit | 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 (patch) | |
| tree | d8dc2012cb7e5918e8da5d8e27ab0764145af63d /session.c | |
| parent | 732b463d37221722b1206f43aa59563766a6a968 (diff) | |
upstream commit
sanitise characters destined for xauth reported by
github.com/tintinweb feedback and ok deraadt and markus
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 34 |
1 files changed, 31 insertions, 3 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: session.c,v 1.281 2016/03/07 19:02:43 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.282 2016/03/10 11:47:57 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -46,6 +46,7 @@ | |||
| 46 | 46 | ||
| 47 | #include <arpa/inet.h> | 47 | #include <arpa/inet.h> |
| 48 | 48 | ||
| 49 | #include <ctype.h> | ||
| 49 | #include <errno.h> | 50 | #include <errno.h> |
| 50 | #include <fcntl.h> | 51 | #include <fcntl.h> |
| 51 | #include <grp.h> | 52 | #include <grp.h> |
| @@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt) | |||
| 274 | do_cleanup(authctxt); | 275 | do_cleanup(authctxt); |
| 275 | } | 276 | } |
| 276 | 277 | ||
| 278 | /* Check untrusted xauth strings for metacharacters */ | ||
| 279 | static int | ||
| 280 | xauth_valid_string(const char *s) | ||
| 281 | { | ||
| 282 | size_t i; | ||
| 283 | |||
| 284 | for (i = 0; s[i] != '\0'; i++) { | ||
| 285 | if (!isalnum((u_char)s[i]) && | ||
| 286 | s[i] != '.' && s[i] != ':' && s[i] != '/' && | ||
| 287 | s[i] != '-' && s[i] != '_') | ||
| 288 | return 0; | ||
| 289 | } | ||
| 290 | return 1; | ||
| 291 | } | ||
| 292 | |||
| 277 | /* | 293 | /* |
| 278 | * Prepares for an interactive session. This is called after the user has | 294 | * Prepares for an interactive session. This is called after the user has |
| 279 | * been successfully authenticated. During this message exchange, pseudo | 295 | * been successfully authenticated. During this message exchange, pseudo |
| @@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt) | |||
| 347 | s->screen = 0; | 363 | s->screen = 0; |
| 348 | } | 364 | } |
| 349 | packet_check_eom(); | 365 | packet_check_eom(); |
| 350 | success = session_setup_x11fwd(s); | 366 | if (xauth_valid_string(s->auth_proto) && |
| 367 | xauth_valid_string(s->auth_data)) | ||
| 368 | success = session_setup_x11fwd(s); | ||
| 369 | else { | ||
| 370 | success = 0; | ||
| 371 | error("Invalid X11 forwarding data"); | ||
| 372 | } | ||
| 351 | if (!success) { | 373 | if (!success) { |
| 352 | free(s->auth_proto); | 374 | free(s->auth_proto); |
| 353 | free(s->auth_data); | 375 | free(s->auth_data); |
| @@ -2184,7 +2206,13 @@ session_x11_req(Session *s) | |||
| 2184 | s->screen = packet_get_int(); | 2206 | s->screen = packet_get_int(); |
| 2185 | packet_check_eom(); | 2207 | packet_check_eom(); |
| 2186 | 2208 | ||
| 2187 | success = session_setup_x11fwd(s); | 2209 | if (xauth_valid_string(s->auth_proto) && |
| 2210 | xauth_valid_string(s->auth_data)) | ||
| 2211 | success = session_setup_x11fwd(s); | ||
| 2212 | else { | ||
| 2213 | success = 0; | ||
| 2214 | error("Invalid X11 forwarding data"); | ||
| 2215 | } | ||
| 2188 | if (!success) { | 2216 | if (!success) { |
| 2189 | free(s->auth_proto); | 2217 | free(s->auth_proto); |
| 2190 | free(s->auth_data); | 2218 | free(s->auth_data); |