[Bug 3897] The empty string, when used as a username, should be marked in log output

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3897

--- Comment #1 from Zack Weinberg <zack+bugzilla.mindrot at owlfolio.org> ---
I looked a little bit into what a patch for this would require, and
unfortunately it isn't easy.  Throughout openssh, log messages get
built up from chunks using all the capabilities of printf, e.g. 

        do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d
ssh2%s%s",
            authmsg,
            method,
            submethod != NULL ? "/" : "", submethod == NULL ? "" :
submethod,
            authctxt->valid ? "" : "invalid user ",
            authctxt->user,
            ssh_remote_ipaddr(ssh),
            ssh_remote_port(ssh),
            extra != NULL ? ": " : "",
            extra != NULL ? extra : "");

Of all those %s placeholders, _only_ authctxt->user ought to be output
as `""` or something like that, when it's the empty string.  Several
others are _supposed_ to print nothing at all if they are the empty
string.

Since C doesn't have perl-style taint tracking, the only way to get
this done is therefore to mark up every single place where a string
derived directly from data sent by the client is passed to the logging
subsystem.  This feels like it might not be worth the hassle of
_finding_ all those places, or the ongoing maintenance burden of making
sure new log messages are also properly marked up.  It also ought to be
done by someone experienced with how the openssh team likes to do
things, i.e. not me.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.