summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2016-03-10 11:47:57 +0000
committerDamien Miller <djm@mindrot.org>2016-03-15 03:23:46 +1100
commit4b4bfb01cd40b9ddb948e6026ddd287cc303d871 (patch)
treed8dc2012cb7e5918e8da5d8e27ab0764145af63d /session.c
parent732b463d37221722b1206f43aa59563766a6a968 (diff)
upstream commit
sanitise characters destined for xauth reported by github.com/tintinweb feedback and ok deraadt and markus Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
Diffstat (limited to 'session.c')
-rw-r--r--session.c34
1 files changed, 31 insertions, 3 deletions
diff --git a/session.c b/session.c
index 9a75c622e..485924570 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: session.c,v 1.281 2016/03/07 19:02:43 djm Exp $ */ 1/* $OpenBSD: session.c,v 1.282 2016/03/10 11:47:57 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -46,6 +46,7 @@
46 46
47#include <arpa/inet.h> 47#include <arpa/inet.h>
48 48
49#include <ctype.h>
49#include <errno.h> 50#include <errno.h>
50#include <fcntl.h> 51#include <fcntl.h>
51#include <grp.h> 52#include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
274 do_cleanup(authctxt); 275 do_cleanup(authctxt);
275} 276}
276 277
278/* Check untrusted xauth strings for metacharacters */
279static int
280xauth_valid_string(const char *s)
281{
282 size_t i;
283
284 for (i = 0; s[i] != '\0'; i++) {
285 if (!isalnum((u_char)s[i]) &&
286 s[i] != '.' && s[i] != ':' && s[i] != '/' &&
287 s[i] != '-' && s[i] != '_')
288 return 0;
289 }
290 return 1;
291}
292
277/* 293/*
278 * Prepares for an interactive session. This is called after the user has 294 * Prepares for an interactive session. This is called after the user has
279 * been successfully authenticated. During this message exchange, pseudo 295 * been successfully authenticated. During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
347 s->screen = 0; 363 s->screen = 0;
348 } 364 }
349 packet_check_eom(); 365 packet_check_eom();
350 success = session_setup_x11fwd(s); 366 if (xauth_valid_string(s->auth_proto) &&
367 xauth_valid_string(s->auth_data))
368 success = session_setup_x11fwd(s);
369 else {
370 success = 0;
371 error("Invalid X11 forwarding data");
372 }
351 if (!success) { 373 if (!success) {
352 free(s->auth_proto); 374 free(s->auth_proto);
353 free(s->auth_data); 375 free(s->auth_data);
@@ -2184,7 +2206,13 @@ session_x11_req(Session *s)
2184 s->screen = packet_get_int(); 2206 s->screen = packet_get_int();
2185 packet_check_eom(); 2207 packet_check_eom();
2186 2208
2187 success = session_setup_x11fwd(s); 2209 if (xauth_valid_string(s->auth_proto) &&
2210 xauth_valid_string(s->auth_data))
2211 success = session_setup_x11fwd(s);
2212 else {
2213 success = 0;
2214 error("Invalid X11 forwarding data");
2215 }
2188 if (!success) { 2216 if (!success) {
2189 free(s->auth_proto); 2217 free(s->auth_proto);
2190 free(s->auth_data); 2218 free(s->auth_data);