shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-02-09 09:54:25 +09:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2023-6004: torture_config: Allow multiple '@' in usernames

Browse Source 
Signed-off-by: Norbert Pocs <norbertpocs0@gmail.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Norbert Pocs
2023-11-05 13:12:47 +01:00
committed by Andreas Schneider
parent 8b8584ce5f
commit 11bd6e6ad9
1 changed files with 26 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
tests/unittests/torture_config.c
View File

@@ -671,6 +671,32 @@ static void torture_config_proxyjump(void **state) {
assert_string_equal(session->opts.ProxyCommand, assert_string_equal(session->opts.ProxyCommand,
"ssh -W [%h]:%p 2620:52:0::fed"); "ssh -W [%h]:%p 2620:52:0::fed");
/* Multiple @ is allowed in second jump */
torture_write_file(LIBSSH_TESTCONFIG11,
"Host allowed-hostname\n"
"\tProxyJump localhost,user@principal.com@jumpbox:22\n"
"");
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code(session, ret);
assert_string_equal(session->opts.ProxyCommand,
"ssh -J user@principal.com@jumpbox:22 -W [%h]:%p localhost");
/* Multiple @ is allowed */
torture_write_file(LIBSSH_TESTCONFIG11,
"Host allowed-hostname\n"
"\tProxyJump user@principal.com@jumpbox:22\n"
"");
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname");
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code(session, ret);
assert_string_equal(session->opts.ProxyCommand,
"ssh -l user@principal.com -p 22 -W [%h]:%p jumpbox");
/* In this part, we try various other config files and strings. */
/* Try to create some invalid configurations */ /* Try to create some invalid configurations */
/* Non-numeric port */ /* Non-numeric port */
torture_write_file(LIBSSH_TESTCONFIG11, torture_write_file(LIBSSH_TESTCONFIG11,
@@ -682,16 +708,6 @@ static void torture_config_proxyjump(void **state) {
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11); ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code_equal(session, ret, SSH_ERROR); assert_ssh_return_code_equal(session, ret, SSH_ERROR);
/* Too many @ */
torture_write_file(LIBSSH_TESTCONFIG11,
"Host bad-hostname\n"
"\tProxyJump user@principal.com@jumpbox:22\n"
"");
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code_equal(session, ret, SSH_ERROR);
/* Braces mismatch in hostname */ /* Braces mismatch in hostname */
torture_write_file(LIBSSH_TESTCONFIG11, torture_write_file(LIBSSH_TESTCONFIG11,
"Host mismatch\n" "Host mismatch\n"
@@ -752,16 +768,6 @@ static void torture_config_proxyjump(void **state) {
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11); ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code_equal(session, ret, SSH_ERROR); assert_ssh_return_code_equal(session, ret, SSH_ERROR);
/* Too many @ in second jump */
torture_write_file(LIBSSH_TESTCONFIG11,
"Host bad-hostname\n"
"\tProxyJump localhost,user@principal.com@jumpbox:22\n"
"");
torture_reset_config(session);
ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname");
ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11);
assert_ssh_return_code_equal(session, ret, SSH_ERROR);
/* Braces mismatch in second jump */ /* Braces mismatch in second jump */
torture_write_file(LIBSSH_TESTCONFIG11, torture_write_file(LIBSSH_TESTCONFIG11,
"Host mismatch\n" "Host mismatch\n"