1 files changed, 30 insertions, 2 deletions
diff --git a/session.c b/session.c
index 7a02500ab..87fddfc3d 100644
--- a/session.c
+++ b/session.c
@@ -46,6 +46,7 @@
 #include <arpa/inet.h>
+#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
        do_cleanup(authctxt);
 }
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+        size_t i;
+        for (i = 0; s[i] != '\0'; i++) {
+                if (!isalnum((u_char)s[i]) &&
+                    s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+                    s[i] != '-' && s[i] != '_')
+                return 0;
+        }
+        return 1;
+}
 /*
 * Prepares for an interactive session.  This is called after the user has
 * been successfully authenticated.  During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
                                s->screen = 0;
                        }
                        packet_check_eom();
-                        success = session_setup_x11fwd(s);
+                        if (xauth_valid_string(s->auth_proto) &&
+                            xauth_valid_string(s->auth_data))
+                                success = session_setup_x11fwd(s);
+                        else {
+                                success = 0;
+                                error("Invalid X11 forwarding data");
+                        }
                        if (!success) {
                                free(s->auth_proto);
                                free(s->auth_data);
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
        s->screen = packet_get_int();
        packet_check_eom();
-        success = session_setup_x11fwd(s);
+        if (xauth_valid_string(s->auth_proto) &&
+            xauth_valid_string(s->auth_data))
+                success = session_setup_x11fwd(s);
+        else {
+                success = 0;
+                error("Invalid X11 forwarding data");
+        }
        if (!success) {
                free(s->auth_proto);
                free(s->auth_data);

diff --git a/session.c b/session.c index 7a02500ab..87fddfc3d 100644 --- a/session.c +++ b/session.c
@@ -46,6 +46,7 @@
46		46
47	#include <arpa/inet.h>	47	#include <arpa/inet.h>
48		48
		49	#include <ctype.h>
49	#include <errno.h>	50	#include <errno.h>
50	#include <fcntl.h>	51	#include <fcntl.h>
51	#include <grp.h>	52	#include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
274	do_cleanup(authctxt);	275	do_cleanup(authctxt);
275	}	276	}
276		277
		278	/* Check untrusted xauth strings for metacharacters */
		279	static int
		280	xauth_valid_string(const char *s)
		281	{
		282	size_t i;
		283
		284	for (i = 0; s[i] != '\0'; i++) {
		285	if (!isalnum((u_char)s[i]) &&
		286	s[i] != '.' && s[i] != ':' && s[i] != '/' &&
		287	s[i] != '-' && s[i] != '_')
		288	return 0;
		289	}
		290	return 1;
		291	}
		292
277	/*	293	/*
278	* Prepares for an interactive session. This is called after the user has	294	* Prepares for an interactive session. This is called after the user has
279	* been successfully authenticated. During this message exchange, pseudo	295	* been successfully authenticated. During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
347	s->screen = 0;	363	s->screen = 0;
348	}	364	}
349	packet_check_eom();	365	packet_check_eom();
350	success = session_setup_x11fwd(s);	366	if (xauth_valid_string(s->auth_proto) &&
		367	xauth_valid_string(s->auth_data))
		368	success = session_setup_x11fwd(s);
		369	else {
		370	success = 0;
		371	error("Invalid X11 forwarding data");
		372	}
351	if (!success) {	373	if (!success) {
352	free(s->auth_proto);	374	free(s->auth_proto);
353	free(s->auth_data);	375	free(s->auth_data);
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
2178	s->screen = packet_get_int();	2200	s->screen = packet_get_int();
2179	packet_check_eom();	2201	packet_check_eom();
2180		2202
2181	success = session_setup_x11fwd(s);	2203	if (xauth_valid_string(s->auth_proto) &&
		2204	xauth_valid_string(s->auth_data))
		2205	success = session_setup_x11fwd(s);
		2206	else {
		2207	success = 0;
		2208	error("Invalid X11 forwarding data");
		2209	}
2182	if (!success) {	2210	if (!success) {
2183	free(s->auth_proto);	2211	free(s->auth_proto);
2184	free(s->auth_data);	2212	free(s->auth_data);