You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64 lines
1.6 KiB
64 lines
1.6 KiB
diff --git a/session.c b/session.c |
|
index 9a75c62..4859245 100644 |
|
--- a/session.c |
|
+++ b/session.c |
|
@@ -46,6 +46,7 @@ |
|
|
|
#include <arpa/inet.h> |
|
|
|
+#include <ctype.h> |
|
#include <errno.h> |
|
#include <fcntl.h> |
|
#include <grp.h> |
|
@@ -292,6 +293,21 @@ do_authenticated(Authctxt *authctxt) |
|
do_cleanup(authctxt); |
|
} |
|
|
|
+/* Check untrusted xauth strings for metacharacters */ |
|
+static int |
|
+xauth_valid_string(const char *s) |
|
+{ |
|
+ size_t i; |
|
+ |
|
+ for (i = 0; s[i] != '\0'; i++) { |
|
+ if (!isalnum((u_char)s[i]) && |
|
+ s[i] != '.' && s[i] != ':' && s[i] != '/' && |
|
+ s[i] != '-' && s[i] != '_') |
|
+ return 0; |
|
+ } |
|
+ return 1; |
|
+} |
|
+ |
|
/* |
|
* Prepares for an interactive session. This is called after the user has |
|
* been successfully authenticated. During this message exchange, pseudo |
|
@@ -365,7 +381,13 @@ do_authenticated1(Authctxt *authctxt) |
|
s->screen = 0; |
|
} |
|
packet_check_eom(); |
|
- success = session_setup_x11fwd(s); |
|
+ if (xauth_valid_string(s->auth_proto) && |
|
+ xauth_valid_string(s->auth_data)) |
|
+ success = session_setup_x11fwd(s); |
|
+ else { |
|
+ success = 0; |
|
+ error("Invalid X11 forwarding data"); |
|
+ } |
|
if (!success) { |
|
free(s->auth_proto); |
|
free(s->auth_data); |
|
@@ -2219,7 +2241,13 @@ session_x11_req(Session *s) |
|
s->screen = packet_get_int(); |
|
packet_check_eom(); |
|
|
|
- success = session_setup_x11fwd(s); |
|
+ if (xauth_valid_string(s->auth_proto) && |
|
+ xauth_valid_string(s->auth_data)) |
|
+ success = session_setup_x11fwd(s); |
|
+ else { |
|
+ success = 0; |
|
+ error("Invalid X11 forwarding data"); |
|
+ } |
|
if (!success) { |
|
free(s->auth_proto); |
|
free(s->auth_data);
|
|
|