Re: ssh-keygen: sanitize ANSI escape sequences in key comment

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sat, Jan 02, 2016 at 10:20:15PM +0100, Roland Hieber wrote:
> On 02.01.2016 22:12, Roland Hieber wrote:
> > Since this is my first patch to OpenSSH, I'm very open for feedback :-)
> 
> ...he wrote without attaching the patch...

Hi, and thank you for pointing that out.

> +	char * pc = NULL;

nitpick: char *pc (without space)?

> +
> +	while ((pc = strchr(comment, '\x1b'))) {
> +		*pc = '.';
> +	}
> +

Why not adding the escape char to reject list in sshkey_try_load_public
(authfile.c)?

Makes me think that it would be safer to use strspn with a conservative
accept set, or scan all chars for isalnum(c) || isblank(c) ||
ispunct(c).

Just my two cents.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux