diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2016-03-10 20:12:09 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2016-03-10 20:12:09 +0000 |
| commit | b5a1df4a77c86979aff60b2660dca65aacccbb09 (patch) | |
| tree | 47f287e0aeb4249065021d642e66e786ee90a5ba /session.c | |
| parent | ff4b04e0d6105849f2b141c035ecd92a4ebc6d97 (diff) | |
Diffstat (limited to 'session.c')
| -rw-r--r-- | session.c | 32 |
1 files changed, 30 insertions, 2 deletions
diff --git a/session.c b/session.c index 7a02500ab68f..87fddfc3db2d 100644 --- a/session.c +++ b/session.c @@ -46,6 +46,7 @@ #include <arpa/inet.h> +#include <ctype.h> #include <errno.h> #include <fcntl.h> #include <grp.h> @@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt) do_cleanup(authctxt); } +/* Check untrusted xauth strings for metacharacters */ +static int +xauth_valid_string(const char *s) +{ + size_t i; + + for (i = 0; s[i] != '\0'; i++) { + if (!isalnum((u_char)s[i]) && + s[i] != '.' && s[i] != ':' && s[i] != '/' && + s[i] != '-' && s[i] != '_') + return 0; + } + return 1; +} + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt) s->screen = 0; } packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); @@ -2178,7 +2200,13 @@ session_x11_req(Session *s) s->screen = packet_get_int(); packet_check_eom(); - success = session_setup_x11fwd(s); + if (xauth_valid_string(s->auth_proto) && + xauth_valid_string(s->auth_data)) + success = session_setup_x11fwd(s); + else { + success = 0; + error("Invalid X11 forwarding data"); + } if (!success) { free(s->auth_proto); free(s->auth_data); |