forked from rpms/openssh
0521bb1a51
Resolves: CVE-2023-51385
58 lines
1.2 KiB
Diff
58 lines
1.2 KiB
Diff
diff --git a/ssh.c b/ssh.c
|
|
index 35c48e62..48d93ddf 100644
|
|
--- a/ssh.c
|
|
+++ b/ssh.c
|
|
@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
|
|
free(cinfo);
|
|
}
|
|
|
|
+static int
|
|
+valid_hostname(const char *s)
|
|
+{
|
|
+ size_t i;
|
|
+
|
|
+ if (*s == '-')
|
|
+ return 0;
|
|
+ for (i = 0; s[i] != 0; i++) {
|
|
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
|
|
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
|
|
+ return 0;
|
|
+ }
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static int
|
|
+valid_ruser(const char *s)
|
|
+{
|
|
+ size_t i;
|
|
+
|
|
+ if (*s == '-')
|
|
+ return 0;
|
|
+ for (i = 0; s[i] != 0; i++) {
|
|
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
|
|
+ return 0;
|
|
+ /* Disallow '-' after whitespace */
|
|
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
|
|
+ return 0;
|
|
+ /* Disallow \ in last position */
|
|
+ if (s[i] == '\\' && s[i + 1] == '\0')
|
|
+ return 0;
|
|
+ }
|
|
+ return 1;
|
|
+}
|
|
+
|
|
/*
|
|
* Main program for the ssh client.
|
|
*/
|
|
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
|
|
if (!host)
|
|
usage();
|
|
|
|
+ if (!valid_hostname(host))
|
|
+ fatal("hostname contains invalid characters");
|
|
+ if (options.user != NULL && !valid_ruser(options.user))
|
|
+ fatal("remote username contains invalid characters");
|
|
host_arg = xstrdup(host);
|
|
|
|
/* Initialize the command to execute on remote host. */
|