diff options
| author | Damien Miller <djm@mindrot.org> | 2006-01-31 21:49:27 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2006-01-31 21:49:27 +1100 |
| commit | 3eec6b73a2c446225fce546d61d83cfc695fbaa0 (patch) | |
| tree | 425fe13ba7b751c6d9878eb592e2d6a014a468bd /sftp.c | |
| parent | b5dd55cccc7096d3db59378bba44920183f34110 (diff) | |
- djm@cvs.openbsd.org 2006/01/31 10:19:02
[misc.c misc.h scp.c sftp.c]
fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
Diffstat (limited to 'sftp.c')
| -rw-r--r-- | sftp.c | 8 |
1 files changed, 5 insertions, 3 deletions
| @@ -16,7 +16,7 @@ | |||
| 16 | 16 | ||
| 17 | #include "includes.h" | 17 | #include "includes.h" |
| 18 | 18 | ||
| 19 | RCSID("$OpenBSD: sftp.c,v 1.69 2005/12/06 22:38:27 reyk Exp $"); | 19 | RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $"); |
| 20 | 20 | ||
| 21 | #ifdef USE_LIBEDIT | 21 | #ifdef USE_LIBEDIT |
| 22 | #include <histedit.h> | 22 | #include <histedit.h> |
| @@ -1453,8 +1453,9 @@ main(int argc, char **argv) | |||
| 1453 | sanitise_stdfd(); | 1453 | sanitise_stdfd(); |
| 1454 | 1454 | ||
| 1455 | __progname = ssh_get_progname(argv[0]); | 1455 | __progname = ssh_get_progname(argv[0]); |
| 1456 | memset(&args, '\0', sizeof(args)); | ||
| 1456 | args.list = NULL; | 1457 | args.list = NULL; |
| 1457 | addargs(&args, "ssh"); /* overwritten with ssh_program */ | 1458 | addargs(&args, ssh_program); |
| 1458 | addargs(&args, "-oForwardX11 no"); | 1459 | addargs(&args, "-oForwardX11 no"); |
| 1459 | addargs(&args, "-oForwardAgent no"); | 1460 | addargs(&args, "-oForwardAgent no"); |
| 1460 | addargs(&args, "-oPermitLocalCommand no"); | 1461 | addargs(&args, "-oPermitLocalCommand no"); |
| @@ -1489,6 +1490,7 @@ main(int argc, char **argv) | |||
| 1489 | break; | 1490 | break; |
| 1490 | case 'S': | 1491 | case 'S': |
| 1491 | ssh_program = optarg; | 1492 | ssh_program = optarg; |
| 1493 | replacearg(&args, 0, "%s", ssh_program); | ||
| 1492 | break; | 1494 | break; |
| 1493 | case 'b': | 1495 | case 'b': |
| 1494 | if (batchmode) | 1496 | if (batchmode) |
| @@ -1565,7 +1567,6 @@ main(int argc, char **argv) | |||
| 1565 | addargs(&args, "%s", host); | 1567 | addargs(&args, "%s", host); |
| 1566 | addargs(&args, "%s", (sftp_server != NULL ? | 1568 | addargs(&args, "%s", (sftp_server != NULL ? |
| 1567 | sftp_server : "sftp")); | 1569 | sftp_server : "sftp")); |
| 1568 | args.list[0] = ssh_program; | ||
| 1569 | 1570 | ||
| 1570 | if (!batchmode) | 1571 | if (!batchmode) |
| 1571 | fprintf(stderr, "Connecting to %s...\n", host); | 1572 | fprintf(stderr, "Connecting to %s...\n", host); |
| @@ -1578,6 +1579,7 @@ main(int argc, char **argv) | |||
| 1578 | fprintf(stderr, "Attaching to %s...\n", sftp_direct); | 1579 | fprintf(stderr, "Attaching to %s...\n", sftp_direct); |
| 1579 | connect_to_server(sftp_direct, args.list, &in, &out); | 1580 | connect_to_server(sftp_direct, args.list, &in, &out); |
| 1580 | } | 1581 | } |
| 1582 | freeargs(&args); | ||
| 1581 | 1583 | ||
| 1582 | err = interactive_loop(in, out, file1, file2); | 1584 | err = interactive_loop(in, out, file1, file2); |
| 1583 | 1585 | ||