[X2Go-Commits] [x2goclient] 01/01: src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0 systems and add a TOCTU-race check to see if the file exists prior to calling privatekey_from_file () on such systems.
git-admin at x2go.org
git-admin at x2go.org
Mon Mar 6 12:50:01 CET 2017
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master
in repository x2goclient.
commit 2e90d7b33d563873b1221edb2eed756c5e186ebc
Author: Mihai Moldovan <ionic at ionic.de>
Date: Mon Mar 6 12:49:16 2017 +0100
src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0 systems and add a TOCTU-race check to see if the file exists prior to calling privatekey_from_file () on such systems.
Additionally fix a type issue.
---
debian/changelog | 4 ++++
src/sshmasterconnection.cpp | 17 ++++++++++++++---
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index a1e1573..dc1fbbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -132,6 +132,10 @@ x2goclient (4.1.0.1-0x2go1) UNRELEASED; urgency=medium
- src/sshmasterconnection.cpp: use new PKI-based libssh API for public key
authentication for libssh 0.6.0 and higher. Fixes: #1119.
- src/sshmasterconnection.cpp: add YubiKey challenge auth prompt.
+ - src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0
+ systems and add a TOCTU-race check to see if the file exists prior to
+ calling privatekey_from_file () on such systems. Additionally fix a type
+ issue.
[ Oleksandr Shneyder ]
* New upstream version (4.1.0.1):
diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp
index a97bbbf..8e620c2 100644
--- a/src/sshmasterconnection.cpp
+++ b/src/sshmasterconnection.cpp
@@ -1241,7 +1241,18 @@ bool SshMasterConnection::userAuthWithKey()
priv_key = NULL;
}
#else
- ssh_private_key priv_key = privatekey_from_file (my_ssh_session, tmp_ba.data (), NULL, NULL);
+ /* This is TOCTU, but forced upon us by libssh's legacy function. */
+ {
+ QFile tmp_file (keyName);
+ if (tmp_file.open (QIODevice::ReadOnly)) {
+ tmp_file.close ();
+ }
+ else {
+ /* Don't pass invalid files to privatekey_from_file () - it crashes in this case. */
+ return (false);
+ }
+ }
+ ssh_private_key priv_key = privatekey_from_file (my_ssh_session, tmp_ba.data (), 0, NULL);
#endif
int i=0;
@@ -1288,7 +1299,7 @@ bool SshMasterConnection::userAuthWithKey()
#if LIBSSH_VERSION_INT >= SSH_VERSION_INT (0, 6, 0)
if (SSH_OK != rc)
#else
- if (!prkey)
+ if (!priv_key)
#endif
{
#ifdef DEBUG
@@ -1310,7 +1321,7 @@ bool SshMasterConnection::userAuthWithKey()
#if LIBSSH_VERSION_INT >= SSH_VERSION_INT (0, 6, 0)
if (SSH_OK != rc)
#else
- if (!pubkey)
+ if (!pub_key)
#endif
{
#ifdef DEBUG
--
Alioth's /srv/git/code.x2go.org/x2goclient.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goclient.git
More information about the x2go-commits
mailing list