blob: d5e41d99e45a753cdc700c1077d6c341f2dd3fe5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
From 4b4bfb01cd40b9ddb948e6026ddd287cc303d871 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 10 Mar 2016 11:47:57 +0000
Subject: upstream commit
sanitise characters destined for xauth reported by
github.com/tintinweb feedback and ok deraadt and markus
Upstream-ID: 18ad8d0d74cbd2ea3306a16595a306ee356aa261
---
session.c | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/session.c b/session.c
index 9a75c62..4859245 100644
--- a/session.c
+++ b/session.c
@@ -46,6 +46,7 @@
#include <arpa/inet.h>
+#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
do_cleanup(authctxt);
}
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+ size_t i;
+
+ for (i = 0; s[i] != '\0'; i++) {
+ if (!isalnum((u_char)s[i]) &&
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+ s[i] != '-' && s[i] != '_')
+ return 0;
+ }
+ return 1;
+}
+
/*
* Prepares for an interactive session. This is called after the user has
* been successfully authenticated. During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
s->screen = 0;
}
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
@@ -2184,7 +2206,13 @@ session_x11_req(Session *s)
s->screen = packet_get_int();
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
--
cgit v0.11.2
|
