mirror of git://anongit.mindrot.org/openssh.git
upstream: replace recently-added valid_domain() check for hostnames
going to known_hosts with a more relaxed check for bad characters; previous commit broke address literals. Reported by/feedback from florian@ OpenBSD-Commit-ID: 10b86dc6a4b206adaa0c11b58b6d5933898d43e0
This commit is contained in:
parent
9655217231
commit
3cae9f92a3
20
sshconnect.c
20
sshconnect.c
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: sshconnect.c,v 1.359 2022/10/24 22:43:36 djm Exp $ */
|
/* $OpenBSD: sshconnect.c,v 1.360 2022/11/03 21:59:20 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@ -960,6 +960,17 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Don't ever try to write an invalid name to a known hosts file.
|
||||||
|
* Note: do this before get_hostfile_hostname_ipaddr() to catch
|
||||||
|
* '[' or ']' in the name before they are added.
|
||||||
|
*/
|
||||||
|
if (strcspn(hostname, "@?*#[]|'\'\"\\") != strlen(hostname)) {
|
||||||
|
debug_f("invalid hostname \"%s\"; will not record: %s",
|
||||||
|
hostname, fail_reason);
|
||||||
|
readonly = RDONLY;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Prepare the hostname and address strings used for hostkey lookup.
|
* Prepare the hostname and address strings used for hostkey lookup.
|
||||||
* In some cases, these will have a port number appended.
|
* In some cases, these will have a port number appended.
|
||||||
|
@ -1018,13 +1029,6 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
|
||||||
(host_found != NULL && host_found->note != 0)))
|
(host_found != NULL && host_found->note != 0)))
|
||||||
readonly = RDONLY;
|
readonly = RDONLY;
|
||||||
|
|
||||||
/* Don't ever try to write an invalid name to a known hosts file */
|
|
||||||
if (!valid_domain(hostname, 0, &fail_reason)) {
|
|
||||||
debug_f("invalid hostname \"%s\"; will not record: %s",
|
|
||||||
hostname, fail_reason);
|
|
||||||
readonly = RDONLY;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Also perform check for the ip address, skip the check if we are
|
* Also perform check for the ip address, skip the check if we are
|
||||||
* localhost, looking for a certificate, or the hostname was an ip
|
* localhost, looking for a certificate, or the hostname was an ip
|
||||||
|
|
Loading…
Reference in New Issue