diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | ssh.c | 30 |
2 files changed, 31 insertions, 6 deletions
| @@ -1,3 +1,10 @@ | |||
| 1 | 20140227 | ||
| 2 | - OpenBSD CVS Sync | ||
| 3 | - djm@cvs.openbsd.org 2014/02/26 20:18:37 | ||
| 4 | [ssh.c] | ||
| 5 | bz#2205: avoid early hostname lookups unless canonicalisation is enabled; | ||
| 6 | ok dtucker@ markus@ | ||
| 7 | |||
| 1 | 20140224 | 8 | 20140224 |
| 2 | - OpenBSD CVS Sync | 9 | - OpenBSD CVS Sync |
| 3 | - djm@cvs.openbsd.org 2014/02/07 06:55:54 | 10 | - djm@cvs.openbsd.org 2014/02/07 06:55:54 |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh.c,v 1.400 2014/02/23 20:11:36 djm Exp $ */ | 1 | /* $OpenBSD: ssh.c,v 1.401 2014/02/26 20:18:37 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -899,12 +899,20 @@ main(int ac, char **av) | |||
| 899 | addrs = resolve_canonicalize(&host, options.port); | 899 | addrs = resolve_canonicalize(&host, options.port); |
| 900 | 900 | ||
| 901 | /* | 901 | /* |
| 902 | * If canonicalization not requested, or if it failed then try to | 902 | * If CanonicalizePermittedCNAMEs have been specified but |
| 903 | * resolve the bare hostname name using the system resolver's usual | 903 | * other canonicalization did not happen (by not being requested |
| 904 | * search rules. Skip the lookup if a ProxyCommand is being used | 904 | * or by failing with fallback) then the hostname may still be changed |
| 905 | * unless the user has specifically requested canonicalisation. | 905 | * as a result of CNAME following. |
| 906 | * | ||
| 907 | * Try to resolve the bare hostname name using the system resolver's | ||
| 908 | * usual search rules and then apply the CNAME follow rules. | ||
| 909 | * | ||
| 910 | * Skip the lookup if a ProxyCommand is being used unless the user | ||
| 911 | * has specifically requested canonicalisation for this case via | ||
| 912 | * CanonicalizeHostname=always | ||
| 906 | */ | 913 | */ |
| 907 | if (addrs == NULL && (option_clear_or_none(options.proxy_command) || | 914 | if (addrs == NULL && options.num_permitted_cnames != 0 && |
| 915 | (option_clear_or_none(options.proxy_command) || | ||
| 908 | options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) { | 916 | options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) { |
| 909 | if ((addrs = resolve_host(host, options.port, 1, | 917 | if ((addrs = resolve_host(host, options.port, 1, |
| 910 | cname, sizeof(cname))) == NULL) | 918 | cname, sizeof(cname))) == NULL) |
| @@ -1000,6 +1008,16 @@ main(int ac, char **av) | |||
| 1000 | if (options.control_path != NULL) | 1008 | if (options.control_path != NULL) |
| 1001 | muxclient(options.control_path); | 1009 | muxclient(options.control_path); |
| 1002 | 1010 | ||
| 1011 | /* | ||
| 1012 | * If hostname canonicalisation was not enabled, then we may not | ||
| 1013 | * have yet resolved the hostname. Do so now. | ||
| 1014 | */ | ||
| 1015 | if (addrs == NULL && options.proxy_command == NULL) { | ||
| 1016 | if ((addrs = resolve_host(host, options.port, 1, | ||
| 1017 | cname, sizeof(cname))) == NULL) | ||
| 1018 | cleanup_exit(255); /* resolve_host logs the error */ | ||
| 1019 | } | ||
| 1020 | |||
| 1003 | timeout_ms = options.connection_timeout * 1000; | 1021 | timeout_ms = options.connection_timeout * 1000; |
| 1004 | 1022 | ||
| 1005 | /* Open a connection to the remote host. */ | 1023 | /* Open a connection to the remote host. */ |