Plug security hole that was already fixed in 1.1. It prevents
user from specifying their hostname when rlogin()-ing in (using rlogin -f-h<host>) Reviewed by: Submitted by:
This commit is contained in:
@@ -293,6 +293,11 @@ doit(f, fromp)
|
|||||||
if (f > 2) /* f should always be 0, but... */
|
if (f > 2) /* f should always be 0, but... */
|
||||||
(void) close(f);
|
(void) close(f);
|
||||||
setup_term(0);
|
setup_term(0);
|
||||||
|
if (strchr(lusername, '-')) {
|
||||||
|
syslog(LOG_ERR, "tried to pass user \"%s\" to login",
|
||||||
|
lusername);
|
||||||
|
fatal(STDERR_FILENO, "invalid user", 0);
|
||||||
|
}
|
||||||
if (authenticated) {
|
if (authenticated) {
|
||||||
#ifdef KERBEROS
|
#ifdef KERBEROS
|
||||||
if (use_kerberos && (pwd->pw_uid == 0))
|
if (use_kerberos && (pwd->pw_uid == 0))
|
||||||
|
|||||||
Reference in New Issue
Block a user