From e27eb9e8ec4962955de15e9ae817bd78ef4f8b69 Mon Sep 17 00:00:00 2001 From: Guido van Rooij Date: Mon, 15 Aug 1994 20:06:13 +0000 Subject: [PATCH] Plug already known security hole. (Brought over from 1.1.5): Fixed security problem with telnetd, which allowed telnet -l -hcert.org localhost to change the user's host in utmp. Thanks to Matthew Green for showing me this one. Reviewed by: karl, guido Submitted by: mrgreen@@mame.mu.oz.au --- libexec/telnetd/sys_term.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c index 1e5021672c6..abb732bedca 100644 --- a/libexec/telnetd/sys_term.c +++ b/libexec/telnetd/sys_term.c @@ -1497,7 +1497,7 @@ start_login(host, autologin, name) { register char *cp; register char **argv; - char **addarg(); + char **addarg(), *user; extern char *getenv(); #ifdef UTMPX register int pid = getpid(); @@ -1667,7 +1667,12 @@ start_login(host, autologin, name) # endif } else #endif - if (getenv("USER")) { + if (user = getenv("USER")) { + if (strchr(user, '-')) { + syslog(LOG_ERR, "tried to pass user \"%s\" to login", + user); + fatal(net, "invalid user"); + } argv = addarg(argv, getenv("USER")); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) {