ssh-keygen: sanitize ANSI escape sequences in key comment
Étienne Buira
etienne.buira at gmail.com
Mon Jan 4 02:29:14 AEDT 2016
On Sat, Jan 02, 2016 at 10:20:15PM +0100, Roland Hieber wrote:
> On 02.01.2016 22:12, Roland Hieber wrote:
> > Since this is my first patch to OpenSSH, I'm very open for feedback :-)
>
> ...he wrote without attaching the patch...
Hi, and thank you for pointing that out.
> + char * pc = NULL;
nitpick: char *pc (without space)?
> +
> + while ((pc = strchr(comment, '\x1b'))) {
> + *pc = '.';
> + }
> +
Why not adding the escape char to reject list in sshkey_try_load_public
(authfile.c)?
Makes me think that it would be safer to use strspn with a conservative
accept set, or scan all chars for isalnum(c) || isblank(c) ||
ispunct(c).
Just my two cents.
More information about the openssh-unix-dev
mailing list