RepoMirrors
/
openssh
mirror of git://anongit.mindrot.org/openssh.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2014/03/03 22:22:30 

[session.c]
     ignore enviornment variables with embedded '=' or '\0' characters;
     spotted by Jann Horn; ok deraadt@
This commit is contained in:
Damien Miller 2014-03-04 09:35:17 +11:00
parent 2476c31b96
commit 8569eba5d7
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,3 +1,10 @@
20140304
- OpenBSD CVS Sync
- djm@cvs.openbsd.org 2014/03/03 22:22:30
[session.c]
ignore enviornment variables with embedded '=' or '\0' characters;
spotted by Jann Horn; ok deraadt@
20140301
- (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
no moduli file exists at the expected location.

9
session.c
View File

@ -978,6 +978,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
u_int envsize;
u_int i, namelen;
if (strchr(name, '=') != NULL) {
error("Invalid environment variable \"%.100s\"", name);
return;
}
/*
* If we're passed an uninitialized list, allocate a single null
* entry before continuing.
@ -2225,8 +2230,8 @@ session_env_req(Session *s)
char *name, *val;
u_int name_len, val_len, i;
name = packet_get_string(&name_len);
val = packet_get_string(&val_len);
name = packet_get_cstring(&name_len);
val = packet_get_cstring(&val_len);
packet_check_eom();
/* Don't set too many environment variables */