aboutsummaryrefslogtreecommitdiff
path: root/libexec/telnetd
diff options
context:
space:
mode:
authorGuido van Rooij <guido@FreeBSD.org>1994-08-15 20:06:13 +0000
committerGuido van Rooij <guido@FreeBSD.org>1994-08-15 20:06:13 +0000
commite27eb9e8ec4962955de15e9ae817bd78ef4f8b69 (patch)
tree731d35a45785fce78fdb5ad2c70b75dc029723fd /libexec/telnetd
parent949690303259f8e5fb245044cef9e670231c7c9e (diff)
downloadsrc-e27eb9e8ec4962955de15e9ae817bd78ef4f8b69.tar.gz
src-e27eb9e8ec4962955de15e9ae817bd78ef4f8b69.zip
Plug already known security hole. (Brought over from 1.1.5):
Fixed security problem with telnetd, which allowed telnet -l -hcert.org localhost to change the user's host in utmp. Thanks to Matthew Green <mrgreen@@mame.mu.oz.au> for showing me this one. Reviewed by: karl, guido Submitted by: mrgreen@@mame.mu.oz.au
Notes
Notes: svn path=/head/; revision=2077
Diffstat (limited to 'libexec/telnetd')
-rw-r--r--libexec/telnetd/sys_term.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c
index 1e5021672c64..abb732bedca5 100644
--- a/libexec/telnetd/sys_term.c
+++ b/libexec/telnetd/sys_term.c
@@ -1497,7 +1497,7 @@ start_login(host, autologin, name)
{
register char *cp;
register char **argv;
- char **addarg();
+ char **addarg(), *user;
extern char *getenv();
#ifdef UTMPX
register int pid = getpid();
@@ -1667,7 +1667,12 @@ start_login(host, autologin, name)
# endif
} else
#endif
- if (getenv("USER")) {
+ if (user = getenv("USER")) {
+ if (strchr(user, '-')) {
+ syslog(LOG_ERR, "tried to pass user \"%s\" to login",
+ user);
+ fatal(net, "invalid user");
+ }
argv = addarg(argv, getenv("USER"));
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-01 11:20:07 +0000