Plug security hole that was already fixed in 1.1. It prevents
user from specifying their hostname when rlogin()-ing in (using rlogin -f-h<host>) Reviewed by: Submitted by:
This commit is contained in:
parent
d966229d00
commit
9496903032
@ -293,6 +293,11 @@ doit(f, fromp)
|
||||
if (f > 2) /* f should always be 0, but... */
|
||||
(void) close(f);
|
||||
setup_term(0);
|
||||
if (strchr(lusername, '-')) {
|
||||
syslog(LOG_ERR, "tried to pass user \"%s\" to login",
|
||||
lusername);
|
||||
fatal(STDERR_FILENO, "invalid user", 0);
|
||||
}
|
||||
if (authenticated) {
|
||||
#ifdef KERBEROS
|
||||
if (use_kerberos && (pwd->pw_uid == 0))
|
||||
|
Loading…
Reference in New Issue
Block a user