[Bug 111] sshd syslogs raw untrusted data

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jul 21 09:59:44 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=111

peak at argo.troja.mff.cuni.cz changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|CLOSED                      |REOPENED
         Resolution|FIXED                       |



------- Additional Comments From peak at argo.troja.mff.cuni.cz  2004-07-21 09:59 -------
The current code in log.c fails to address the problem. It does
strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), VIS_SAFE|VIS_OCTAL);
but this leaves nasty characters like LFs (misinterpreted by Solaris
syslog()...see above) alone.

On the other hand, stricter vis() flags make debugging output (sshd -d) ugly
because some debugging message include a "natural" newline.

I think the code should read:

strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), log_on_stderr ?
        VIS_SAFE|VIS_OCTAL : VIS_CSTYLE|VIS_NL|VIS_TAB|VIS_OCTAL);




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list