diff options
| author | Damien Miller <djm@mindrot.org> | 2003-02-24 11:52:58 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2003-02-24 11:52:58 +1100 |
| commit | eeeeb3517e3b878bc4d2f8db9cbebd8e912b0cca (patch) | |
| tree | 8daa1bc48e6f7a51eb515519f30c72ef2537fa09 | |
| parent | ffadc583f63eb8b37750bdce6b70c6102ae621b4 (diff) | |
- markus@cvs.openbsd.org 2003/02/02 10:51:13
[scp.c]
call okname() only when using system(3) for remote-remote copy;
fixes bugs #483, #472; ok deraadt@, mouring@
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | scp.c | 23 |
2 files changed, 20 insertions, 9 deletions
@@ -20,6 +20,10 @@ [sshd.8] typos; sshd(8): help and ok markus@ help and ok millert@ + - markus@cvs.openbsd.org 2003/02/02 10:51:13 + [scp.c] + call okname() only when using system(3) for remote-remote copy; + fixes bugs #483, #472; ok deraadt@, mouring@ 20030211 - (djm) Cygwin needs libcrypt too. Patch from vinschen@redhat.com @@ -1120,4 +1124,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2598 2003/02/24 00:52:26 djm Exp $ +$Id: ChangeLog,v 1.2599 2003/02/24 00:52:58 djm Exp $ @@ -75,7 +75,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.100 2003/01/23 14:06:15 markus Exp $"); +RCSID("$OpenBSD: scp.c,v 1.101 2003/02/02 10:51:13 markus Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -370,8 +370,6 @@ toremote(targ, argc, argv) tuser = argv[argc - 1]; if (*tuser == '\0') tuser = NULL; - else if (!okname(tuser)) - exit(1); } else { thost = argv[argc - 1]; tuser = NULL; @@ -399,6 +397,8 @@ toremote(targ, argc, argv) suser = pwd->pw_name; else if (!okname(suser)) continue; + if (tuser && !okname(tuser)) + continue; snprintf(bp, len, "%s%s %s -n " "-l %s %s %s %s '%s%s%s:%s'", @@ -472,8 +472,6 @@ tolocal(argc, argv) suser = argv[i]; if (*suser == '\0') suser = pwd->pw_name; - else if (!okname(suser)) - continue; } host = cleanhostname(host); len = strlen(src) + CMDNEEDS + 20; @@ -1085,9 +1083,18 @@ okname(cp0) c = (int)*cp; if (c & 0200) goto bad; - if (!isalpha(c) && !isdigit(c) && - c != '@' && c != '_' && c != '-' && c != '.' && c != '+') - goto bad; + if (!isalpha(c) && !isdigit(c)) { + switch (c) { + case '\'': + case '"': + case '`': + case ' ': + case '#': + goto bad; + default: + break; + } + } } while (*++cp); return (1); |