Plug security hole that was already fixed in 1.1. It prevents

user from specifying their hostname when rlogin()-ing in
(using rlogin -f-h<host>)

Reviewed by:
Submitted by:
This commit is contained in:
Guido van Rooij 1994-08-15 19:44:50 +00:00
parent d966229d00
commit 9496903032

View File

@ -293,6 +293,11 @@ doit(f, fromp)
if (f > 2) /* f should always be 0, but... */
(void) close(f);
setup_term(0);
if (strchr(lusername, '-')) {
syslog(LOG_ERR, "tried to pass user \"%s\" to login",
lusername);
fatal(STDERR_FILENO, "invalid user", 0);
}
if (authenticated) {
#ifdef KERBEROS
if (use_kerberos && (pwd->pw_uid == 0))