From 11bd6e6ad926a38cd7b9f8308a4c2fd8dfd9200c Mon Sep 17 00:00:00 2001 From: Norbert Pocs Date: Sun, 5 Nov 2023 13:12:47 +0100 Subject: [PATCH] CVE-2023-6004: torture_config: Allow multiple '@' in usernames Signed-off-by: Norbert Pocs Reviewed-by: Andreas Schneider Conflict: NA Reference:https://gitlab.com/libssh/libssh-mirror/-/commit/11bd6e6ad926a38cd7b9f8308a4c2fd8dfd9200c --- tests/unittests/torture_config.c | 44 ++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/tests/unittests/torture_config.c b/tests/unittests/torture_config.c index f91112a9..3a5a74bf 100644 --- a/tests/unittests/torture_config.c +++ b/tests/unittests/torture_config.c @@ -671,24 +671,40 @@ static void torture_config_proxyjump(void **state) { assert_string_equal(session->opts.ProxyCommand, "ssh -W '[%h]:%p' 2620:52:0::fed"); - /* Try to create some invalid configurations */ - /* Non-numeric port */ + /* Multiple @ is allowed in second jump */ torture_write_file(LIBSSH_TESTCONFIG11, - "Host bad-port\n" - "\tProxyJump jumpbox:22bad22\n" + "Host allowed-hostname\n" + "\tProxyJump localhost,user@principal.com@jumpbox:22\n" ""); torture_reset_config(session); - ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port"); + ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname"); ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11); - assert_ssh_return_code_equal(session, ret, SSH_ERROR); + assert_ssh_return_code(session, ret); + assert_string_equal(session->opts.ProxyCommand, + "ssh -J user@principal.com@jumpbox:22 -W '[%h]:%p' localhost"); - /* Too many @ */ + /* Multiple @ is allowed */ torture_write_file(LIBSSH_TESTCONFIG11, - "Host bad-hostname\n" + "Host allowed-hostname\n" "\tProxyJump user@principal.com@jumpbox:22\n" ""); torture_reset_config(session); - ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname"); + ssh_options_set(session, SSH_OPTIONS_HOST, "allowed-hostname"); + ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11); + assert_ssh_return_code(session, ret); + assert_string_equal(session->opts.ProxyCommand, + "ssh -l user@principal.com -p 22 -W '[%h]:%p' jumpbox"); + + /* In this part, we try various other config files and strings. */ + + /* Try to create some invalid configurations */ + /* Non-numeric port */ + torture_write_file(LIBSSH_TESTCONFIG11, + "Host bad-port\n" + "\tProxyJump jumpbox:22bad22\n" + ""); + torture_reset_config(session); + ssh_options_set(session, SSH_OPTIONS_HOST, "bad-port"); ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11); assert_ssh_return_code_equal(session, ret, SSH_ERROR); @@ -752,16 +768,6 @@ static void torture_config_proxyjump(void **state) { ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11); assert_ssh_return_code_equal(session, ret, SSH_ERROR); - /* Too many @ in second jump */ - torture_write_file(LIBSSH_TESTCONFIG11, - "Host bad-hostname\n" - "\tProxyJump localhost,user@principal.com@jumpbox:22\n" - ""); - torture_reset_config(session); - ssh_options_set(session, SSH_OPTIONS_HOST, "bad-hostname"); - ret = ssh_config_parse_file(session, LIBSSH_TESTCONFIG11); - assert_ssh_return_code_equal(session, ret, SSH_ERROR); - /* Braces mismatch in second jump */ torture_write_file(LIBSSH_TESTCONFIG11, "Host mismatch\n" -- 2.33.0