aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/fossil-CVE-2017-17459.patch
blob: e566235b4ecbe58b928470c1153a4c904d382c95 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
Fix CVE-2017-17459:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459

Patch copied from upstream source repository:

https://www.fossil-scm.org/xfer/info/1f63db591c77108c

Index: src/http_transport.c
==================================================================
--- src/http_transport.c
+++ src/http_transport.c
@@ -73,10 +73,23 @@
   if( resetFlag ){
     transport.nSent = 0;
     transport.nRcvd = 0;
   }
 }
+
+/*
+** Remove leading "-" characters from the input string.
+**
+** This prevents attacks that try to trick a victim into using
+** a ssh:// URI with a carefully crafted hostname of other
+** parameter that ends up being interpreted as a command-line
+** option by "ssh".
+*/
+static const char *stripLeadingMinus(const char *z){
+  while( z[0]=='-' ) z++;
+  return z;
+}
 
 /*
 ** Default SSH command
 */
 #ifdef _WIN32
@@ -116,17 +129,17 @@
   }else{
     zHost = mprintf("%s", pUrlData->name);
   }
   n = blob_size(&zCmd);
   blob_append(&zCmd, " ", 1);
-  shell_escape(&zCmd, zHost);
+  shell_escape(&zCmd, stripLeadingMinus(zHost));
   blob_append(&zCmd, " ", 1);
   shell_escape(&zCmd, mprintf("%s", pUrlData->fossil));
   blob_append(&zCmd, " test-http", 10);
   if( pUrlData->path && pUrlData->path[0] ){
     blob_append(&zCmd, " ", 1);
-    shell_escape(&zCmd, mprintf("%s", pUrlData->path));
+    shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path)));
   }
   if( g.fSshTrace ){
     fossil_print("%s\n", blob_str(&zCmd)+n);  /* Show tail of SSH command */
   }
   free(zHost);