summaryrefslogtreecommitdiff
path: root/session.c
diff options
context:
space:
mode:
Diffstat (limited to 'session.c')
-rw-r--r--session.c32
1 files changed, 30 insertions, 2 deletions
diff --git a/session.c b/session.c
index 7a02500ab..87fddfc3d 100644
--- a/session.c
+++ b/session.c
@@ -46,6 +46,7 @@
46 46
47#include <arpa/inet.h> 47#include <arpa/inet.h>
48 48
49#include <ctype.h>
49#include <errno.h> 50#include <errno.h>
50#include <fcntl.h> 51#include <fcntl.h>
51#include <grp.h> 52#include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
274 do_cleanup(authctxt); 275 do_cleanup(authctxt);
275} 276}
276 277
278/* Check untrusted xauth strings for metacharacters */
279static int
280xauth_valid_string(const char *s)
281{
282 size_t i;
283
284 for (i = 0; s[i] != '\0'; i++) {
285 if (!isalnum((u_char)s[i]) &&
286 s[i] != '.' && s[i] != ':' && s[i] != '/' &&
287 s[i] != '-' && s[i] != '_')
288 return 0;
289 }
290 return 1;
291}
292
277/* 293/*
278 * Prepares for an interactive session. This is called after the user has 294 * Prepares for an interactive session. This is called after the user has
279 * been successfully authenticated. During this message exchange, pseudo 295 * been successfully authenticated. During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
347 s->screen = 0; 363 s->screen = 0;
348 } 364 }
349 packet_check_eom(); 365 packet_check_eom();
350 success = session_setup_x11fwd(s); 366 if (xauth_valid_string(s->auth_proto) &&
367 xauth_valid_string(s->auth_data))
368 success = session_setup_x11fwd(s);
369 else {
370 success = 0;
371 error("Invalid X11 forwarding data");
372 }
351 if (!success) { 373 if (!success) {
352 free(s->auth_proto); 374 free(s->auth_proto);
353 free(s->auth_data); 375 free(s->auth_data);
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
2178 s->screen = packet_get_int(); 2200 s->screen = packet_get_int();
2179 packet_check_eom(); 2201 packet_check_eom();
2180 2202
2181 success = session_setup_x11fwd(s); 2203 if (xauth_valid_string(s->auth_proto) &&
2204 xauth_valid_string(s->auth_data))
2205 success = session_setup_x11fwd(s);
2206 else {
2207 success = 0;
2208 error("Invalid X11 forwarding data");
2209 }
2182 if (!success) { 2210 if (!success) {
2183 free(s->auth_proto); 2211 free(s->auth_proto);
2184 free(s->auth_data); 2212 free(s->auth_data);