summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2016-03-10 05:03:39 +1100
committerDamien Miller <djm@mindrot.org>2016-03-10 05:03:39 +1100
commit9d47b8d3f50c3a6282896df8274147e3b9a38c56 (patch)
tree52726cde86b49d327c0b50cf086532626624ace5
parent72b061d4ba0f909501c595d709ea76e06b01e5c9 (diff)
sanitise characters destined for xauth(1)
reported by github.com/tintinweb
-rw-r--r--session.c32
1 files changed, 30 insertions, 2 deletions
diff --git a/session.c b/session.c
index 7a02500..87fddfc 100644
--- a/session.c
+++ b/session.c
@@ -46,6 +46,7 @@
#include <arpa/inet.h>
+#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
do_cleanup(authctxt);
}
+/* Check untrusted xauth strings for metacharacters */
+static int
+xauth_valid_string(const char *s)
+{
+ size_t i;
+
+ for (i = 0; s[i] != '\0'; i++) {
+ if (!isalnum((u_char)s[i]) &&
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
+ s[i] != '-' && s[i] != '_')
+ return 0;
+ }
+ return 1;
+}
+
/*
* Prepares for an interactive session. This is called after the user has
* been successfully authenticated. During this message exchange, pseudo
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
s->screen = 0;
}
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
s->screen = packet_get_int();
packet_check_eom();
- success = session_setup_x11fwd(s);
+ if (xauth_valid_string(s->auth_proto) &&
+ xauth_valid_string(s->auth_data))
+ success = session_setup_x11fwd(s);
+ else {
+ success = 0;
+ error("Invalid X11 forwarding data");
+ }
if (!success) {
free(s->auth_proto);
free(s->auth_data);