Attachment #207053 for bug #240242

Lines 2-11 Link Here

(-)Makefile (-3 / +7 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= bzr	4	PORTNAME= bzr
5	PORTVERSION= 2.7.0	5	PORTVERSION= 2.7.0.${BZR_REV}
6	PORTREVISION= 2
7	CATEGORIES= devel	6	CATEGORIES= devel
8	MASTER_SITES= CHEESESHOP	7	MASTER_SITES= https://bazaar.launchpad.net/~bzr-pqm/bzr/2.7/tarball/
		8	DISTFILES= ${BZR_REV}
		9	DIST_SUBDIR= ${PORTNAME}
9		10
10	MAINTAINER= fullermd@over-yonder.net	11	MAINTAINER= fullermd@over-yonder.net
11	COMMENT= Distributed version control system by Canonical	12	COMMENT= Distributed version control system by Canonical
Lines 29-34 Link Here
29	PYDISTUTILS_PKGNAME= bzr	30	PYDISTUTILS_PKGNAME= bzr
30	MAKE_ENV= BZR_LOG=/dev/null	31	MAKE_ENV= BZR_LOG=/dev/null
31		32
		33	BZR_REV= 6622
		34	WRKSRC= ${WRKDIR}/~bzr-pqm/bzr/2.7
		35
32	post-install:	36	post-install:
33	${INSTALL_MAN} ${WRKSRC}/bzr.1 ${STAGEDIR}${MAN1PREFIX}/man/man1	37	${INSTALL_MAN} ${WRKSRC}/bzr.1 ${STAGEDIR}${MAN1PREFIX}/man/man1
34	${STRIP_CMD} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/bzrlib/*.so	38	${STRIP_CMD} ${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}/bzrlib/*.so

Lines 1-2 Link Here

(-)distinfo (-2 / +3 lines)
1	SHA256 (bzr-2.7.0.tar.gz) = c9f6bbe0a50201dadc5fddadd94ba50174193c6cf6e39e16f6dd0ad98a1df338	1	TIMESTAMP = 1567291226
2	SIZE (bzr-2.7.0.tar.gz) = 11526191	2	SHA256 (bzr/6622) = b5ae411ef4672422b9f69118cc5d3f8a3217d3ab05bf25d18ad69b60b1a07666
		3	SIZE (bzr/6622) = 10945747




Source: https://launchpadlibrarian.net/370632961/24_ssh_hostnames-lp1710979
Description: Refuse to connect to ssh hostnames starting with a dash. Fixes LP:1710979
Author: Jelmer Vernooij <jelmer@jelmer.uk>
Origin: commit, Revision ID: jelmer@jelmer.uk-20170819145828-qk2p7qlg5j2fbsiz

* Security fix: hostnames starting with a dash in bzr+ssh URLs
  are now filtered out when using a subprocess SSH client.
  .
  Thanks to Augie Fackler for reporting.
  (Jelmer Vernooĳ, #1710979)


=== modified file 'bzrlib/tests/test_ssh_transport.py'
---
 bzrlib/tests/test_ssh_transport.py |   38 ++++++++++++++++++++++++++++++++++++-
 bzrlib/transport/ssh.py            |   16 +++++++++++++--
 2 files changed, 51 insertions(+), 3 deletions(-)

Index: bzrlib/tests/test_ssh_transport.py
===================================================================
--- bzrlib/tests/test_ssh_transport.py
+++ bzrlib/tests/test_ssh_transport.py
@@ -22,6 +22,7 @@ from bzrlib.transport.ssh import (
     SSHCorpSubprocessVendor,
     LSHSubprocessVendor,
     SSHVendorManager,
+    StrangeHostname,
     )
 
 
@@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase):
 
 class SubprocessVendorsTests(TestCase):
 
+    def test_openssh_command_tricked(self):
+        vendor = OpenSSHSubprocessVendor()
+        self.assertEqual(
+            vendor._get_vendor_specific_argv(
+                "user", "-oProxyCommand=blah", 100, command=["bzr"]),
+            ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
+                "-oClearAllForwardings=yes",
+                "-oNoHostAuthenticationForLocalhost=yes",
+                "-p", "100",
+                "-l", "user",
+                "--",
+                "-oProxyCommand=blah", "bzr"])
+
     def test_openssh_command_arguments(self):
         vendor = OpenSSHSubprocessVendor()
         self.assertEqual(
@@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase):
                 "-oNoHostAuthenticationForLocalhost=yes",
                 "-p", "100",
                 "-l", "user",
+                "--",
                 "host", "bzr"]
             )
 
@@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase):
                 "-oNoHostAuthenticationForLocalhost=yes",
                 "-p", "100",
                 "-l", "user",
-                "-s", "host", "sftp"]
+                "-s", "--", "host", "sftp"]
             )
 
+    def test_openssh_command_tricked(self):
+        vendor = SSHCorpSubprocessVendor()
+        self.assertRaises(
+            StrangeHostname,
+            vendor._get_vendor_specific_argv,
+                "user", "-oProxyCommand=host", 100, command=["bzr"])
+
     def test_sshcorp_command_arguments(self):
         vendor = SSHCorpSubprocessVendor()
         self.assertEqual(
@@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase):
                 "-s", "sftp", "host"]
             )
 
+    def test_lsh_command_tricked(self):
+        vendor = LSHSubprocessVendor()
+        self.assertRaises(
+            StrangeHostname,
+            vendor._get_vendor_specific_argv,
+                "user", "-oProxyCommand=host", 100, command=["bzr"])
+
     def test_lsh_command_arguments(self):
         vendor = LSHSubprocessVendor()
         self.assertEqual(
@@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase):
                 "--subsystem", "sftp", "host"]
             )
 
+    def test_plink_command_tricked(self):
+        vendor = PLinkSubprocessVendor()
+        self.assertRaises(
+            StrangeHostname,
+            vendor._get_vendor_specific_argv,
+                "user", "-oProxyCommand=host", 100, command=["bzr"])
+
     def test_plink_command_arguments(self):
         vendor = PLinkSubprocessVendor()
         self.assertEqual(
Index: bzrlib/transport/ssh.py
===================================================================
--- bzrlib/transport/ssh.py
+++ bzrlib/transport/ssh.py
@@ -46,6 +46,10 @@ else:
     from paramiko.sftp_client import SFTPClient
 
 
+class StrangeHostname(errors.BzrError):
+    _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
+
+
 SYSTEM_HOSTKEYS = {}
 BZR_HOSTKEYS = {}
 
@@ -360,6 +364,11 @@ class SubprocessVendor(SSHVendor):
     # tests, but beware of using PIPE which may hang due to not being read.
     _stderr_target = None
 
+    @staticmethod
+    def _check_hostname(arg):
+        if arg.startswith('-'):
+            raise StrangeHostname(hostname=arg)
+
     def _connect(self, argv):
         # Attempt to make a socketpair to use as stdin/stdout for the SSH
         # subprocess.  We prefer sockets to pipes because they support
@@ -424,9 +433,9 @@ class OpenSSHSubprocessVendor(Subprocess
         if username is not None:
             args.extend(['-l', username])
         if subsystem is not None:
-            args.extend(['-s', host, subsystem])
+            args.extend(['-s', '--', host, subsystem])
         else:
-            args.extend([host] + command)
+            args.extend(['--', host] + command)
         return args
 
 register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
@@ -439,6 +448,7 @@ class SSHCorpSubprocessVendor(Subprocess
 
     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
                                   command=None):
+        self._check_hostname(host)
         args = [self.executable_path, '-x']
         if port is not None:
             args.extend(['-p', str(port)])
@@ -460,6 +470,7 @@ class LSHSubprocessVendor(SubprocessVend
 
     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
                                   command=None):
+        self._check_hostname(host)
         args = [self.executable_path]
         if port is not None:
             args.extend(['-p', str(port)])
@@ -481,6 +492,7 @@ class PLinkSubprocessVendor(SubprocessVe
 
     def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
                                   command=None):
+        self._check_hostname(host)
         args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
         if port is not None:
             args.extend(['-P', str(port)])

Return to bug 240242

Line 0 Link Here

(-)files/patch-ssh_hostname (+167 lines)
		1	Source: https://launchpadlibrarian.net/370632961/24_ssh_hostnames-lp1710979
		2	Description: Refuse to connect to ssh hostnames starting with a dash. Fixes LP:1710979
		3	Author: Jelmer Vernooij <jelmer@jelmer.uk>
		4	Origin: commit, Revision ID: jelmer@jelmer.uk-20170819145828-qk2p7qlg5j2fbsiz
		5
		6	* Security fix: hostnames starting with a dash in bzr+ssh URLs
		7	are now filtered out when using a subprocess SSH client.
		8	.
		9	Thanks to Augie Fackler for reporting.
		10	(Jelmer Vernooĳ, #1710979)
		11
		12
		13	=== modified file 'bzrlib/tests/test_ssh_transport.py'
		14	---
		15	bzrlib/tests/test_ssh_transport.py \| 38 ++++++++++++++++++++++++++++++++++++-
		16	bzrlib/transport/ssh.py \| 16 +++++++++++++--
		17	2 files changed, 51 insertions(+), 3 deletions(-)
		18
		19	Index: bzrlib/tests/test_ssh_transport.py
		20	===================================================================
		21	--- bzrlib/tests/test_ssh_transport.py
		22	+++ bzrlib/tests/test_ssh_transport.py
		23	@@ -22,6 +22,7 @@ from bzrlib.transport.ssh import (
		24	SSHCorpSubprocessVendor,
		25	LSHSubprocessVendor,
		26	SSHVendorManager,
		27	+ StrangeHostname,
		28	)
		29
		30
		31	@@ -161,6 +162,19 @@ class SSHVendorManagerTests(TestCase):
		32
		33	class SubprocessVendorsTests(TestCase):
		34
		35	+ def test_openssh_command_tricked(self):
		36	+ vendor = OpenSSHSubprocessVendor()
		37	+ self.assertEqual(
		38	+ vendor._get_vendor_specific_argv(
		39	+ "user", "-oProxyCommand=blah", 100, command=["bzr"]),
		40	+ ["ssh", "-oForwardX11=no", "-oForwardAgent=no",
		41	+ "-oClearAllForwardings=yes",
		42	+ "-oNoHostAuthenticationForLocalhost=yes",
		43	+ "-p", "100",
		44	+ "-l", "user",
		45	+ "--",
		46	+ "-oProxyCommand=blah", "bzr"])
		47	+
		48	def test_openssh_command_arguments(self):
		49	vendor = OpenSSHSubprocessVendor()
		50	self.assertEqual(
		51	@@ -171,6 +185,7 @@ class SubprocessVendorsTests(TestCase):
		52	"-oNoHostAuthenticationForLocalhost=yes",
		53	"-p", "100",
		54	"-l", "user",
		55	+ "--",
		56	"host", "bzr"]
		57	)
		58
		59	@@ -184,9 +199,16 @@ class SubprocessVendorsTests(TestCase):
		60	"-oNoHostAuthenticationForLocalhost=yes",
		61	"-p", "100",
		62	"-l", "user",
		63	- "-s", "host", "sftp"]
		64	+ "-s", "--", "host", "sftp"]
65	)
66
67	+ def test_openssh_command_tricked(self):
68	+ vendor = SSHCorpSubprocessVendor()
69	+ self.assertRaises(
70	+ StrangeHostname,
71	+ vendor._get_vendor_specific_argv,
72	+ "user", "-oProxyCommand=host", 100, command=["bzr"])
73	+
74	def test_sshcorp_command_arguments(self):
75	vendor = SSHCorpSubprocessVendor()
76	self.assertEqual(
77	@@ -209,6 +231,13 @@ class SubprocessVendorsTests(TestCase):
78	"-s", "sftp", "host"]
79	)
80
81	+ def test_lsh_command_tricked(self):
82	+ vendor = LSHSubprocessVendor()
83	+ self.assertRaises(
84	+ StrangeHostname,
85	+ vendor._get_vendor_specific_argv,
86	+ "user", "-oProxyCommand=host", 100, command=["bzr"])
87	+
88	def test_lsh_command_arguments(self):
89	vendor = LSHSubprocessVendor()
90	self.assertEqual(
91	@@ -231,6 +260,13 @@ class SubprocessVendorsTests(TestCase):
92	"--subsystem", "sftp", "host"]
93	)
94
95	+ def test_plink_command_tricked(self):
96	+ vendor = PLinkSubprocessVendor()
97	+ self.assertRaises(
98	+ StrangeHostname,
99	+ vendor._get_vendor_specific_argv,
100	+ "user", "-oProxyCommand=host", 100, command=["bzr"])
101	+
102	def test_plink_command_arguments(self):
103	vendor = PLinkSubprocessVendor()
104	self.assertEqual(
105	Index: bzrlib/transport/ssh.py
106	===================================================================
107	--- bzrlib/transport/ssh.py
108	+++ bzrlib/transport/ssh.py
109	@@ -46,6 +46,10 @@ else:
110	from paramiko.sftp_client import SFTPClient
111
112
113	+class StrangeHostname(errors.BzrError):
114	+ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s"
115	+
116	+
117	SYSTEM_HOSTKEYS = {}
118	BZR_HOSTKEYS = {}
119
120	@@ -360,6 +364,11 @@ class SubprocessVendor(SSHVendor):
121	# tests, but beware of using PIPE which may hang due to not being read.
122	_stderr_target = None
123
124	+ @staticmethod
125	+ def _check_hostname(arg):
126	+ if arg.startswith('-'):
127	+ raise StrangeHostname(hostname=arg)
128	+
129	def _connect(self, argv):
130	# Attempt to make a socketpair to use as stdin/stdout for the SSH
131	# subprocess. We prefer sockets to pipes because they support
132	@@ -424,9 +433,9 @@ class OpenSSHSubprocessVendor(Subprocess
133	if username is not None:
134	args.extend(['-l', username])
135	if subsystem is not None:
136	- args.extend(['-s', host, subsystem])
137	+ args.extend(['-s', '--', host, subsystem])
138	else:
139	- args.extend([host] + command)
140	+ args.extend(['--', host] + command)
141	return args
142
143	register_ssh_vendor('openssh', OpenSSHSubprocessVendor())
144	@@ -439,6 +448,7 @@ class SSHCorpSubprocessVendor(Subprocess
145
146	def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
147	command=None):
148	+ self._check_hostname(host)
149	args = [self.executable_path, '-x']
150	if port is not None:
151	args.extend(['-p', str(port)])
152	@@ -460,6 +470,7 @@ class LSHSubprocessVendor(SubprocessVend
153
154	def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
155	command=None):
156	+ self._check_hostname(host)
157	args = [self.executable_path]
158	if port is not None:
159	args.extend(['-p', str(port)])
160	@@ -481,6 +492,7 @@ class PLinkSubprocessVendor(SubprocessVe
161
162	def _get_vendor_specific_argv(self, username, host, port, subsystem=None,
163	command=None):
164	+ self._check_hostname(host)
165	args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch']
166	if port is not None:
167	args.extend(['-P', str(port)])