diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2007-08-15 19:13:41 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2007-08-15 19:13:41 +1000 |
| commit | 513d13accd7925f6c94ffe2003c15ee5bbc5e9d1 (patch) | |
| tree | 3f91c55f04f6b2b251740c0e2e8a849f8637c74a | |
| parent | 2d9636471bb75c10342dbabcc2f6a0b2e60cca01 (diff) | |
- markus@cvs.openbsd.org 2007/08/15 08:14:46
[clientloop.c]
do NOT fall back to the trused x11 cookie if generation of an untrusted
cookie fails; from security-alert at sun.com; ok dtucker
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | clientloop.c | 38 |
2 files changed, 32 insertions, 15 deletions
@@ -1,3 +1,10 @@ +20070815 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2007/08/15 08:14:46 + [clientloop.c] + do NOT fall back to the trused x11 cookie if generation of an untrusted + cookie fails; from security-alert at sun.com; ok dtucker + 20070813 - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always called with PAM_ESTABLISH_CRED at least once, which resolves a problem @@ -3152,4 +3159,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4725 2007/08/13 13:11:56 dtucker Exp $ +$Id: ChangeLog,v 1.4726 2007/08/15 09:13:41 dtucker Exp $ diff --git a/clientloop.c b/clientloop.c index 538644c2..b57fda04 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.180 2007/08/07 07:32:53 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.181 2007/08/15 08:14:46 markus Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -290,19 +290,29 @@ client_x11_get_proto(const char *display, const char *xauth_path, generated = 1; } } - snprintf(cmd, sizeof(cmd), - "%s %s%s list %s 2>" _PATH_DEVNULL, - xauth_path, - generated ? "-f " : "" , - generated ? xauthfile : "", - display); - debug2("x11_get_proto: %s", cmd); - f = popen(cmd, "r"); - if (f && fgets(line, sizeof(line), f) && - sscanf(line, "%*s %511s %511s", proto, data) == 2) - got_data = 1; - if (f) - pclose(f); + + /* + * When in untrusted mode, we read the cookie only if it was + * successfully generated as an untrusted one in the step + * above. + */ + if (trusted || generated) { + snprintf(cmd, sizeof(cmd), + "%s %s%s list %s 2>" _PATH_DEVNULL, + xauth_path, + generated ? "-f " : "" , + generated ? xauthfile : "", + display); + debug2("x11_get_proto: %s", cmd); + f = popen(cmd, "r"); + if (f && fgets(line, sizeof(line), f) && + sscanf(line, "%*s %511s %511s", proto, data) == 2) + got_data = 1; + if (f) + pclose(f); + } else + error("Warning: untrusted X11 forwarding setup failed: " + "xauth key data not generated"); } if (do_unlink) { |