summaryrefslogtreecommitdiff
path: root/Assistant
diff options
context:
space:
mode:
authorGravatar Joey Hess <joeyh@joeyh.name>2015-02-09 16:34:57 -0400
committerGravatar Joey Hess <joeyh@joeyh.name>2015-02-09 16:34:57 -0400
commitdf60c8197975496605b375ce93d3607dc843fe37 (patch)
tree270958a3c5621ed04f824e05f9cf438df1ee51d4 /Assistant
parent8d34737ac0693bb448f016f195d5082dc8e6d3df (diff)
assistant: Improve sanity check for control characters when pairing.
Diffstat (limited to 'Assistant')
-rw-r--r--Assistant/Pairing.hs9
-rw-r--r--Assistant/Threads/PairListener.hs21
2 files changed, 15 insertions, 15 deletions
diff --git a/Assistant/Pairing.hs b/Assistant/Pairing.hs
index 492b98592..b24e5fdb6 100644
--- a/Assistant/Pairing.hs
+++ b/Assistant/Pairing.hs
@@ -58,6 +58,15 @@ data PairData = PairData
}
deriving (Eq, Read, Show)
+checkSane :: PairData -> Bool
+checkSane p = all (not . any isControl)
+ [ fromMaybe "" (remoteHostName p)
+ , remoteUserName p
+ , remoteDirectory p
+ , remoteSshPubKey p
+ , fromUUID (pairUUID p)
+ ]
+
type UserName = String
{- A pairing that is in progress has a secret, a thread that is
diff --git a/Assistant/Threads/PairListener.hs b/Assistant/Threads/PairListener.hs
index a02b8b91a..e4f87494c 100644
--- a/Assistant/Threads/PairListener.hs
+++ b/Assistant/Threads/PairListener.hs
@@ -16,13 +16,11 @@ import Assistant.WebApp.Types
import Assistant.Alert
import Assistant.DaemonStatus
import Utility.ThreadScheduler
-import Utility.Format
import Git
import Network.Multicast
import Network.Socket
import qualified Data.Text as T
-import Data.Char
pairListenerThread :: UrlRenderer -> NamedThread
pairListenerThread urlrenderer = namedThread "PairListener" $ do
@@ -39,16 +37,18 @@ pairListenerThread urlrenderer = namedThread "PairListener" $ do
Nothing -> go reqs cache sock
Just m -> do
debug ["received", show msg]
- sane <- checkSane msg
(pip, verified) <- verificationCheck m
=<< (pairingInProgress <$> getDaemonStatus)
let wrongstage = maybe False (\p -> pairMsgStage m <= inProgressPairStage p) pip
let fromus = maybe False (\p -> remoteSshPubKey (pairMsgData m) == remoteSshPubKey (inProgressPairData p)) pip
- case (wrongstage, fromus, sane, pairMsgStage m) of
+ case (wrongstage, fromus, checkSane (pairMsgData m), pairMsgStage m) of
(_, True, _, _) -> do
debug ["ignoring message that looped back"]
go reqs cache sock
- (_, _, False, _) -> go reqs cache sock
+ (_, _, False, _) -> do
+ liftAnnex $ warning
+ "illegal control characters in pairing message; ignoring"
+ go reqs cache sock
-- PairReq starts a pairing process, so a
-- new one is always heeded, even if
-- some other pairing is in process.
@@ -83,19 +83,10 @@ pairListenerThread urlrenderer = namedThread "PairListener" $ do
"detected possible pairing brute force attempt; disabled pairing"
stopSending pip
return (Nothing, False)
- |otherwise = return (Just pip, verified && sameuuid)
+ | otherwise = return (Just pip, verified && sameuuid)
where
verified = verifiedPairMsg m pip
sameuuid = pairUUID (inProgressPairData pip) == pairUUID (pairMsgData m)
-
- checkSane msg
- {- Control characters could be used in a
- - console poisoning attack. -}
- | any isControl (filter (/= '\n') (decode_c msg)) = do
- liftAnnex $ warning
- "illegal control characters in pairing message; ignoring"
- return False
- | otherwise = return True
{- PairReqs invalidate the cache of recently finished pairings.
- This is so that, if a new pairing is started with the