From b5a42d18ee382ac79a0157eb597af46ba77d9264 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 18 Jan 2012 21:46:44 +0000 Subject: Ensure that $DISPLAY contains only valid characters before using it to extract xauth data so that it can't be used to play local shell metacharacter games. Report from r00t_ati at ihteam.net, ok markus. --- usr.bin/ssh/clientloop.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/usr.bin/ssh/clientloop.c b/usr.bin/ssh/clientloop.c index 44ca743eb68..1930b4bf7e5 100644 --- a/usr.bin/ssh/clientloop.c +++ b/usr.bin/ssh/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.237 2011/09/10 22:26:34 markus Exp $ */ +/* $OpenBSD: clientloop.c,v 1.238 2012/01/18 21:46:43 dtucker Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -273,6 +273,23 @@ set_control_persist_exit_time(void) /* else we are already counting down to the timeout */ } +#define SSH_X11_VALID_DISPLAY_CHARS ":/.-_" +static int +client_x11_display_valid(const char *display) +{ + size_t i, dlen; + + dlen = strlen(display); + for (i = 0; i < dlen; i++) { + if (!isalnum(display[i]) && + strchr(SSH_X11_VALID_DISPLAY_CHARS, display[i]) == NULL) { + debug("Invalid character '%c' in DISPLAY", display[i]); + return 0; + } + } + return 1; +} + #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" void client_x11_get_proto(const char *display, const char *xauth_path, @@ -295,6 +312,9 @@ client_x11_get_proto(const char *display, const char *xauth_path, if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) { debug("No xauth program."); + } else if (!client_x11_display_valid(display)) { + logit("DISPLAY '%s' invalid, falling back to fake xauth data", + display); } else { if (display == NULL) { debug("x11_get_proto: DISPLAY not set"); -- cgit v1.2.3