7a3fc19192
FreeBSD-16:04.hyperv FreeBSD-16:05.hv_netvsc FreeBSD-SA-16:14.openssh FreeBSD-SA-16:15.sysarch
62 lines
1.4 KiB
Diff
62 lines
1.4 KiB
Diff
--- crypto/openssh/session.c.orig
|
|
+++ crypto/openssh/session.c
|
|
@@ -46,6 +46,7 @@
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
+#include <ctype.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <grp.h>
|
|
@@ -274,6 +275,21 @@
|
|
do_cleanup(authctxt);
|
|
}
|
|
|
|
+/* Check untrusted xauth strings for metacharacters */
|
|
+static int
|
|
+xauth_valid_string(const char *s)
|
|
+{
|
|
+ size_t i;
|
|
+
|
|
+ for (i = 0; s[i] != '\0'; i++) {
|
|
+ if (!isalnum((u_char)s[i]) &&
|
|
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
|
|
+ s[i] != '-' && s[i] != '_')
|
|
+ return 0;
|
|
+ }
|
|
+ return 1;
|
|
+}
|
|
+
|
|
/*
|
|
* Prepares for an interactive session. This is called after the user has
|
|
* been successfully authenticated. During this message exchange, pseudo
|
|
@@ -347,7 +363,13 @@
|
|
s->screen = 0;
|
|
}
|
|
packet_check_eom();
|
|
- success = session_setup_x11fwd(s);
|
|
+ if (xauth_valid_string(s->auth_proto) &&
|
|
+ xauth_valid_string(s->auth_data))
|
|
+ success = session_setup_x11fwd(s);
|
|
+ else {
|
|
+ success = 0;
|
|
+ error("Invalid X11 forwarding data");
|
|
+ }
|
|
if (!success) {
|
|
free(s->auth_proto);
|
|
free(s->auth_data);
|
|
@@ -2178,7 +2200,13 @@
|
|
s->screen = packet_get_int();
|
|
packet_check_eom();
|
|
|
|
- success = session_setup_x11fwd(s);
|
|
+ if (xauth_valid_string(s->auth_proto) &&
|
|
+ xauth_valid_string(s->auth_data))
|
|
+ success = session_setup_x11fwd(s);
|
|
+ else {
|
|
+ success = 0;
|
|
+ error("Invalid X11 forwarding data");
|
|
+ }
|
|
if (!success) {
|
|
free(s->auth_proto);
|
|
free(s->auth_data);
|