[Bug 111] sshd syslogs raw untrusted data
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Jul 21 09:59:44 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=111
peak at argo.troja.mff.cuni.cz changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|CLOSED |REOPENED
Resolution|FIXED |
------- Additional Comments From peak at argo.troja.mff.cuni.cz 2004-07-21 09:59 -------
The current code in log.c fails to address the problem. It does
strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), VIS_SAFE|VIS_OCTAL);
but this leaves nasty characters like LFs (misinterpreted by Solaris
syslog()...see above) alone.
On the other hand, stricter vis() flags make debugging output (sshd -d) ugly
because some debugging message include a "natural" newline.
I think the code should read:
strnvis(fmtbuf, msgbuf, sizeof(fmtbuf), log_on_stderr ?
VIS_SAFE|VIS_OCTAL : VIS_CSTYLE|VIS_NL|VIS_TAB|VIS_OCTAL);
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list