diff options
author | Damien Miller <djm@mindrot.org> | 2006-01-31 21:49:27 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-01-31 21:49:27 +1100 |
commit | 3eec6b73a2c446225fce546d61d83cfc695fbaa0 (patch) | |
tree | 425fe13ba7b751c6d9878eb592e2d6a014a468bd /sftp.c | |
parent | b5dd55cccc7096d3db59378bba44920183f34110 (diff) |
- djm@cvs.openbsd.org 2006/01/31 10:19:02
[misc.c misc.h scp.c sftp.c]
fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
Diffstat (limited to 'sftp.c')
-rw-r--r-- | sftp.c | 8 |
1 files changed, 5 insertions, 3 deletions
@@ -16,7 +16,7 @@ | |||
16 | 16 | ||
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | 18 | ||
19 | RCSID("$OpenBSD: sftp.c,v 1.69 2005/12/06 22:38:27 reyk Exp $"); | 19 | RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $"); |
20 | 20 | ||
21 | #ifdef USE_LIBEDIT | 21 | #ifdef USE_LIBEDIT |
22 | #include <histedit.h> | 22 | #include <histedit.h> |
@@ -1453,8 +1453,9 @@ main(int argc, char **argv) | |||
1453 | sanitise_stdfd(); | 1453 | sanitise_stdfd(); |
1454 | 1454 | ||
1455 | __progname = ssh_get_progname(argv[0]); | 1455 | __progname = ssh_get_progname(argv[0]); |
1456 | memset(&args, '\0', sizeof(args)); | ||
1456 | args.list = NULL; | 1457 | args.list = NULL; |
1457 | addargs(&args, "ssh"); /* overwritten with ssh_program */ | 1458 | addargs(&args, ssh_program); |
1458 | addargs(&args, "-oForwardX11 no"); | 1459 | addargs(&args, "-oForwardX11 no"); |
1459 | addargs(&args, "-oForwardAgent no"); | 1460 | addargs(&args, "-oForwardAgent no"); |
1460 | addargs(&args, "-oPermitLocalCommand no"); | 1461 | addargs(&args, "-oPermitLocalCommand no"); |
@@ -1489,6 +1490,7 @@ main(int argc, char **argv) | |||
1489 | break; | 1490 | break; |
1490 | case 'S': | 1491 | case 'S': |
1491 | ssh_program = optarg; | 1492 | ssh_program = optarg; |
1493 | replacearg(&args, 0, "%s", ssh_program); | ||
1492 | break; | 1494 | break; |
1493 | case 'b': | 1495 | case 'b': |
1494 | if (batchmode) | 1496 | if (batchmode) |
@@ -1565,7 +1567,6 @@ main(int argc, char **argv) | |||
1565 | addargs(&args, "%s", host); | 1567 | addargs(&args, "%s", host); |
1566 | addargs(&args, "%s", (sftp_server != NULL ? | 1568 | addargs(&args, "%s", (sftp_server != NULL ? |
1567 | sftp_server : "sftp")); | 1569 | sftp_server : "sftp")); |
1568 | args.list[0] = ssh_program; | ||
1569 | 1570 | ||
1570 | if (!batchmode) | 1571 | if (!batchmode) |
1571 | fprintf(stderr, "Connecting to %s...\n", host); | 1572 | fprintf(stderr, "Connecting to %s...\n", host); |
@@ -1578,6 +1579,7 @@ main(int argc, char **argv) | |||
1578 | fprintf(stderr, "Attaching to %s...\n", sftp_direct); | 1579 | fprintf(stderr, "Attaching to %s...\n", sftp_direct); |
1579 | connect_to_server(sftp_direct, args.list, &in, &out); | 1580 | connect_to_server(sftp_direct, args.list, &in, &out); |
1580 | } | 1581 | } |
1582 | freeargs(&args); | ||
1581 | 1583 | ||
1582 | err = interactive_loop(in, out, file1, file2); | 1584 | err = interactive_loop(in, out, file1, file2); |
1583 | 1585 | ||