diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2016-03-10 11:47:58 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2016-03-10 11:47:58 +0000 |
| commit | 0c59e4d13c1db108f7bf9412058c0b37a9bf0e39 (patch) | |
| tree | dd7cd9d1233715a722ff93a738028bef4ae6c61f | |
| parent | 7c3c70952832c3e6ed28b14c4aff674ec904fef5 (diff) | |
sanitise characters destined for xauth
reported by github.com/tintinweb
feedback and ok deraadt and markus
| -rw-r--r-- | usr.bin/ssh/session.c | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c index a6ee5593f22..1e0935334c6 100644 --- a/usr.bin/ssh/session.c +++ b/usr.bin/ssh/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.281 2016/03/07 19:02:43 djm Exp $ */ +/* $OpenBSD: session.c,v 1.282 2016/03/10 11:47:57 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -40,6 +40,7 @@ #include <sys/socket.h> #include <sys/queue.h> +#include <ctype.h> #include <errno.h> #include <fcntl.h> #include <grp.h> @@ -256,6 +257,21 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -329,7 +345,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -1809,7 +1831,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); |