diff options
| author |   djm <djm@openbsd.org> | 2016-03-10 11:47:57 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2016-03-10 11:47:57 +0000 |
| commit | 15432ad120c94357ac3c2bd1c999ff34ec575aa6 (patch) | |
| tree | b21aba80f00214a6ce6868497310896e0e5e5b0a | |
| parent | remove Xr to infnan, a trickily hidden (from me anyway) vax page; (diff) | |
| download | wireguard-openbsd-15432ad120c94357ac3c2bd1c999ff34ec575aa6.tar.xz wireguard-openbsd-15432ad120c94357ac3c2bd1c999ff34ec575aa6.zip | |
sanitise characters destined for xauth
reported by github.com/tintinweb
feedback and ok deraadt and markus
| -rw-r--r-- | usr.bin/ssh/session.c | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index a6ee5593f22..1e0935334c6 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.281 2016/03/07 19:02:43 djm Exp $ */ +/* $OpenBSD: session.c,v 1.282 2016/03/10 11:47:57 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -40,6 +40,7 @@ #include <sys/socket.h> #include <sys/queue.h> +#include <ctype.h> #include <errno.h> #include <fcntl.h> #include <grp.h> @@ -256,6 +257,21 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -329,7 +345,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -1809,7 +1831,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); |