58 lines
1.5 KiB
Diff
58 lines
1.5 KiB
Diff
Fix CVE-2017-17459:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://www.fossil-scm.org/xfer/info/1f63db591c77108c
|
|
|
|
Index: src/http_transport.c
|
|
==================================================================
|
|
--- src/http_transport.c
|
|
+++ src/http_transport.c
|
|
@@ -73,10 +73,23 @@
|
|
if( resetFlag ){
|
|
transport.nSent = 0;
|
|
transport.nRcvd = 0;
|
|
}
|
|
}
|
|
+
|
|
+/*
|
|
+** Remove leading "-" characters from the input string.
|
|
+**
|
|
+** This prevents attacks that try to trick a victim into using
|
|
+** a ssh:// URI with a carefully crafted hostname of other
|
|
+** parameter that ends up being interpreted as a command-line
|
|
+** option by "ssh".
|
|
+*/
|
|
+static const char *stripLeadingMinus(const char *z){
|
|
+ while( z[0]=='-' ) z++;
|
|
+ return z;
|
|
+}
|
|
|
|
/*
|
|
** Default SSH command
|
|
*/
|
|
#ifdef _WIN32
|
|
@@ -116,17 +129,17 @@
|
|
}else{
|
|
zHost = mprintf("%s", pUrlData->name);
|
|
}
|
|
n = blob_size(&zCmd);
|
|
blob_append(&zCmd, " ", 1);
|
|
- shell_escape(&zCmd, zHost);
|
|
+ shell_escape(&zCmd, stripLeadingMinus(zHost));
|
|
blob_append(&zCmd, " ", 1);
|
|
shell_escape(&zCmd, mprintf("%s", pUrlData->fossil));
|
|
blob_append(&zCmd, " test-http", 10);
|
|
if( pUrlData->path && pUrlData->path[0] ){
|
|
blob_append(&zCmd, " ", 1);
|
|
- shell_escape(&zCmd, mprintf("%s", pUrlData->path));
|
|
+ shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path)));
|
|
}
|
|
if( g.fSshTrace ){
|
|
fossil_print("%s\n", blob_str(&zCmd)+n); /* Show tail of SSH command */
|
|
}
|
|
free(zHost);
|
|
|