Plug already known security hole. (Brought over from 1.1.5):

Fixed security problem with telnetd, which allowed telnet -l -hcert.org localhost to change the user's host in utmp. Thanks to Matthew Green <mrgreen@@mame.mu.oz.au> for showing me this one. Reviewed by: karl, guido Submitted by: mrgreen@@mame.mu.oz.au
author: guido <guido@FreeBSD.org> 1994-08-15 20:06:13 +0000
committer: guido <guido@FreeBSD.org> 1994-08-15 20:06:13 +0000
commit: 957ff9bd53b450a547a963b7fe14e577984c0041 (patch)
tree: 731d35a45785fce78fdb5ad2c70b75dc029723fd /libexec
parent: e55e130de4c950f2bbbd9c71bcf4d0fcd66b4463 (diff)
download: FreeBSD-src-957ff9bd53b450a547a963b7fe14e577984c0041.zip
FreeBSD-src-957ff9bd53b450a547a963b7fe14e577984c0041.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c
index 1e50216..abb732b 100644
--- a/libexec/telnetd/sys_term.c
+++ b/libexec/telnetd/sys_term.c
@@ -1497,7 +1497,7 @@ start_login(host, autologin, name)
 {
 	register char *cp;
 	register char **argv;
-	char **addarg();
+	char **addarg(), *user;
 	extern char *getenv();
 #ifdef	UTMPX
 	register int pid = getpid();
@@ -1667,7 +1667,12 @@ start_login(host, autologin, name)
 # endif
 	} else
 #endif
-	if (getenv("USER")) {
+	if (user = getenv("USER")) {
+	if (strchr(user, '-')) {
+			syslog(LOG_ERR, "tried to pass user \"%s\" to login",
+			       user); 
+			fatal(net, "invalid user");
+		}
 		argv = addarg(argv, getenv("USER"));
 #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
 		{
author	guido <guido@FreeBSD.org>	1994-08-15 20:06:13 +0000
committer	guido <guido@FreeBSD.org>	1994-08-15 20:06:13 +0000
commit	957ff9bd53b450a547a963b7fe14e577984c0041 (patch)
tree	731d35a45785fce78fdb5ad2c70b75dc029723fd /libexec
parent	e55e130de4c950f2bbbd9c71bcf4d0fcd66b4463 (diff)
download	FreeBSD-src-957ff9bd53b450a547a963b7fe14e577984c0041.zip FreeBSD-src-957ff9bd53b450a547a963b7fe14e577984c0041.tar.gz