summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@cvs.openbsd.org>2012-01-18 21:46:44 +0000
committerDarren Tucker <dtucker@cvs.openbsd.org>2012-01-18 21:46:44 +0000
commitb5a42d18ee382ac79a0157eb597af46ba77d9264 (patch)
tree848d73a3637629c26289aab6093735814ade2943
parent0ec82c3d7552767eb33970908c28998cda26b470 (diff)
Ensure that $DISPLAY contains only valid characters before using it to
extract xauth data so that it can't be used to play local shell metacharacter games. Report from r00t_ati at ihteam.net, ok markus.
-rw-r--r--usr.bin/ssh/clientloop.c22
1 files changed, 21 insertions, 1 deletions
diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c
index 44ca743eb68..1930b4bf7e5 100644
--- a/usr.bin/ssh/clientloop.c
+++ b/usr.bin/ssh/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.237 2011/09/10 22:26:34 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -273,6 +273,23 @@ set_control_persist_exit_time(void)
/* else we are already counting down to the timeout */
}
+#define SSH_X11_VALID_DISPLAY_CHARS ":/.-_"
+static int
+client_x11_display_valid(const char *display)
+{
+ size_t i, dlen;
+
+ dlen = strlen(display);
+ for (i = 0; i < dlen; i++) {
+ if (!isalnum(display[i]) &&
+ strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) {
+ debug("Invalid character '%c' in DISPLAY", display[i]);
+ return 0;
+ }
+ }
+ return 1;
+}
+
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
void
client_x11_get_proto(const char *display, const char *xauth_path,
@@ -295,6 +312,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
debug("No xauth program.");
+ } else if (!client_x11_display_valid(display)) {
+ logit("DISPLAY '%s' invalid, falling back to fake xauth data",
+ display);
} else {
if (display == NULL) {
debug("x11_get_proto: DISPLAY not set");