(mina-sshd) 02/04: Improve X11 forwarding

Tue, 04 Jun 2024 14:57:23 -0700 

This is an automated email from the ASF dual-hosted git repository.

twolf pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git

commit 249528aa2dd026e2c74605e5a927cc6073175948
Author: Thomas Wolf <tw...@apache.org>
AuthorDate: Mon Jun 3 20:09:37 2024 +0200

    Improve X11 forwarding
    
    Validate the xauth protocol and cookie values to ensure they don't
    contain control characters, like newlines. See [1].
    
    [1] https://www.openssh.com/txt/x11fwd.adv
---
 .../apache/sshd/server/channel/ChannelSession.java | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git 
a/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java 
b/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java
index c1a0505fe..9340260ae 100644
--- a/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java
+++ b/sshd-core/src/main/java/org/apache/sshd/server/channel/ChannelSession.java
@@ -854,6 +854,12 @@ public class ChannelSession extends AbstractServerChannel {
         String authCookie = buffer.getString();
         int screenId = buffer.getInt();
 
+        // Validate X11 auth protocol and cookie -- must not contain 
metacharacters.
+        // See CVE-2016-3115 xauth injection 
https://www.openssh.com/txt/x11fwd.adv
+        // See https://seclists.org/fulldisclosure/2016/Mar/46
+        if (!isValidXauth(authProtocol) || !isValidXauth(authCookie)) {
+            return RequestHandler.Result.ReplyFailure;
+        }
         return handleX11ForwardingParsed(requestType, session, 
singleConnection, authProtocol, authCookie, screenId);
     }
 
@@ -901,6 +907,22 @@ public class ChannelSession extends AbstractServerChannel {
         return RequestHandler.Result.ReplySuccess;
     }
 
+    protected boolean isValidXauth(String auth) {
+        // Alphanumeric (US-ASCII), plus '.', ':', '/', '-', and '_'.
+        int length = auth.length();
+        for (int i = 0; i < length; i++) {
+            int c = auth.charAt(i);
+            if ((c >= '0' && c <= '9')
+                    || (c >= 'A' && c <= 'Z')
+                    || (c >= 'a' && c <= 'z')
+                    || (c == '.' || c == ':' || c == '/' || c == '-' || c == 
'_')) {
+                continue;
+            }
+            return false;
+        }
+        return true;
+    }
+
     protected void addEnvVariable(String name, String value) {
         StandardEnvironment e = getEnvironment();
         e.set(name, value);

Reply via email to