1 files changed, 13 insertions, 6 deletions

diff --git a/serverloop.c b/serverloop.c
index 741c5befb..14e60c6dc 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.162 2012/06/20 04:42:58 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.163 2012/12/02 20:46:11 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
 static Channel *
 server_request_direct_tcpip(void)
 {
-        Channel *c;
+        Channel *c = NULL;
         char *target, *originator;
         u_short target_port, originator_port;
 
@@ -963,9 +963,16 @@ server_request_direct_tcpip(void)
         debug("server_request_direct_tcpip: originator %s port %d, target %s "
             "port %d", originator, originator_port, target, target_port);
 
-        /* XXX check permission */
-        c = channel_connect_to(target, target_port,
-            "direct-tcpip", "direct-tcpip");
+        /* XXX fine grained permissions */
+        if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
+            !no_port_forwarding_flag) {
+                c = channel_connect_to(target, target_port,
+                    "direct-tcpip", "direct-tcpip");
+        } else {
+                logit("refused local port forward: "
+                    "originator %s port %d, target %s port %d",
+                    originator, originator_port, target, target_port);
+        }
 
         xfree(originator);
         xfree(target);
@@ -1126,7 +1133,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
                     listen_address, listen_port);
 
                 /* check permissions */
-                if (!options.allow_tcp_forwarding ||
+                if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
                     no_port_forwarding_flag ||
                     (!want_reply && listen_port == 0)
 #ifndef NO_IPPORT_RESERVED_CONCEPT