diff --git a/config.h b/config.h index 072a9cd..8f5d734 100644 --- a/config.h +++ b/config.h @@ -138,7 +138,7 @@ #define STDC_HEADERS 1 /* Most recent revision number in the version control system */ -#define VCS_REVISION "163" +#define VCS_REVISION "164" /* Version number of package */ #define VERSION "2.9" diff --git a/configure b/configure index 324bdc4..399f436 100755 --- a/configure +++ b/configure @@ -2317,7 +2317,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $ ac_compiler_gnu=$ac_cv_c_compiler_gnu -VCS_REVISION=163 +VCS_REVISION=164 cat >>confdefs.h <<_ACEOF diff --git a/configure.ac b/configure.ac index 85960c9..3cdd440 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ AC_PREREQ(2.57) dnl This is the one location where the authoritative version number is stored AC_INIT(shellinabox, 2.9, markus@shellinabox.com) -VCS_REVISION=163 +VCS_REVISION=164 AC_SUBST(VCS_REVISION) AC_DEFINE_UNQUOTED(VCS_REVISION, "${VCS_REVISION}", [Most recent revision number in the version control system]) diff --git a/demo/vt100.js b/demo/vt100.js index dacb710..23dd26f 100644 --- a/demo/vt100.js +++ b/demo/vt100.js @@ -1693,7 +1693,7 @@ VT100.prototype.toggleBell = function() { }; VT100.prototype.about = function() { - alert("VT100 Terminal Emulator " + "2.9 (revision 163)" + + alert("VT100 Terminal Emulator " + "2.9 (revision 164)" + "\nCopyright 2008-2009 by Markus Gutschke\n" + "For more information check http://shellinabox.com"); }; @@ -1995,6 +1995,10 @@ VT100.prototype.handleKey = function(event) { } if (this.menu.style.visibility == 'hidden') { + // this.vt100('R: c='); + // for (var i = 0; i < ch.length; i++) + // this.vt100((i != 0 ? ', ' : '') + ch.charCodeAt(i)); + // this.vt100('\r\n'); this.keysPressed(ch); } }; @@ -2111,6 +2115,12 @@ VT100.prototype.fixEvent = function(event) { }; VT100.prototype.keyDown = function(event) { + // this.vt100('D: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); this.checkComposedKeys(event); this.lastKeyPressedEvent = undefined; this.lastKeyDownEvent = undefined; @@ -2196,6 +2206,12 @@ VT100.prototype.keyDown = function(event) { }; VT100.prototype.keyPressed = function(event) { + // this.vt100('P: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); if (this.lastKeyDownEvent) { // If we already processed the key on keydown, do not process it // again here. Ideally, the browser should not even have generated a @@ -2226,6 +2242,12 @@ VT100.prototype.keyPressed = function(event) { }; VT100.prototype.keyUp = function(event) { + // this.vt100('U: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); if (this.lastKeyPressedEvent) { // The compose key on Linux occasionally confuses the browser and keeps // inserting bogus characters into the input field, even if just a regular diff --git a/shellinabox/launcher.c b/shellinabox/launcher.c index bccb580..47732ee 100644 --- a/shellinabox/launcher.c +++ b/shellinabox/launcher.c @@ -772,6 +772,8 @@ static pam_handle_t *internalLogin(struct Service *service, struct Utmp *utmp, check(!uname(&uts)); hostname = uts.nodename; } + const char *fqdn; + check(fqdn = strdup(hostname)); check(hostname = strdup(hostname)); char *dot = strchr(hostname, '.'); if (dot) { @@ -785,14 +787,45 @@ static pam_handle_t *internalLogin(struct Service *service, struct Utmp *utmp, char *user = NULL; char *prompt; check(prompt = stringPrintf(NULL, "%s login: ", hostname)); - if (read_string(1, prompt, &user) <= 0) { + for (;;) { + if (read_string(1, prompt, &user) <= 0) { + free(user); + free(prompt); + _exit(1); + } + if (*user) { + for (char *u = user; *u; u++) { + char ch = *u; + if (!((ch >= '0' && ch <= '9') || + (ch >= 'A' && ch <= 'Z') || + (ch >= 'a' && ch <= 'z') || + ch == '-' || ch == '_' || ch == '.')) { + goto invalid_user_name; + } + } + break; + } + invalid_user_name: free(user); - free(prompt); - _exit(1); + user = NULL; } free(prompt); char *cmdline = stringPrintf(NULL, service->cmdline, user); free(user); + + // Replace '@localhost' with the actual host name. This results in a nicer + // prompt when SSH asks for the password. + char *ptr = strrchr(cmdline, '@'); + if (!strcmp(ptr + 1, "localhost")) { + int offset = ptr + 1 - cmdline; + check(cmdline = realloc(cmdline, + strlen(cmdline) + strlen(fqdn) - + strlen("localhost") + 1)); + ptr = cmdline + offset; + *ptr = '\000'; + strncat(ptr, fqdn, strlen(fqdn)); + } + free((void *)service->cmdline); service->cmdline = cmdline; @@ -892,6 +925,7 @@ static pam_handle_t *internalLogin(struct Service *service, struct Utmp *utmp, pw = getPWEnt(service->uid); #endif } + free((void *)fqdn); free((void *)hostname); if (restricted && diff --git a/shellinabox/service.c b/shellinabox/service.c index d99ca5c..28f6447 100644 --- a/shellinabox/service.c +++ b/shellinabox/service.c @@ -124,6 +124,19 @@ void initService(struct Service *service, const char *arg) { free(ptr); } } + + // Don't allow manipulation of the SSH command line through "creative" use + // of the host name. + for (char *h = host; *h; h++) { + char ch = *h; + if (!((ch >= '0' && ch <= '9') || + (ch >= 'A' && ch <= 'Z') || + (ch >= 'a' && ch <= 'z') || + ch == '-' || ch == '.')) { + fatal("Invalid hostname \"%s\" in service definition", host); + } + } + service->cmdline = stringPrintf(NULL, "ssh -a -e none -i /dev/null -x -oChallengeResponseAuthentication=no " "-oCheckHostIP=no -oClearAllForwardings=yes -oCompression=no " diff --git a/shellinabox/shell_in_a_box.js b/shellinabox/shell_in_a_box.js index e3acb7a..4465e1a 100644 --- a/shellinabox/shell_in_a_box.js +++ b/shellinabox/shell_in_a_box.js @@ -355,7 +355,7 @@ ShellInABox.prototype.extendContextMenu = function(entries, actions) { }; ShellInABox.prototype.about = function() { - alert("Shell In A Box version " + "2.9 (revision 163)" + + alert("Shell In A Box version " + "2.9 (revision 164)" + "\nCopyright 2008-2009 by Markus Gutschke\n" + "For more information check http://shellinabox.com" + (typeof serverSupportsSSL != 'undefined' && serverSupportsSSL ? diff --git a/shellinabox/vt100.js b/shellinabox/vt100.js index dacb710..23dd26f 100644 --- a/shellinabox/vt100.js +++ b/shellinabox/vt100.js @@ -1693,7 +1693,7 @@ VT100.prototype.toggleBell = function() { }; VT100.prototype.about = function() { - alert("VT100 Terminal Emulator " + "2.9 (revision 163)" + + alert("VT100 Terminal Emulator " + "2.9 (revision 164)" + "\nCopyright 2008-2009 by Markus Gutschke\n" + "For more information check http://shellinabox.com"); }; @@ -1995,6 +1995,10 @@ VT100.prototype.handleKey = function(event) { } if (this.menu.style.visibility == 'hidden') { + // this.vt100('R: c='); + // for (var i = 0; i < ch.length; i++) + // this.vt100((i != 0 ? ', ' : '') + ch.charCodeAt(i)); + // this.vt100('\r\n'); this.keysPressed(ch); } }; @@ -2111,6 +2115,12 @@ VT100.prototype.fixEvent = function(event) { }; VT100.prototype.keyDown = function(event) { + // this.vt100('D: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); this.checkComposedKeys(event); this.lastKeyPressedEvent = undefined; this.lastKeyDownEvent = undefined; @@ -2196,6 +2206,12 @@ VT100.prototype.keyDown = function(event) { }; VT100.prototype.keyPressed = function(event) { + // this.vt100('P: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); if (this.lastKeyDownEvent) { // If we already processed the key on keydown, do not process it // again here. Ideally, the browser should not even have generated a @@ -2226,6 +2242,12 @@ VT100.prototype.keyPressed = function(event) { }; VT100.prototype.keyUp = function(event) { + // this.vt100('U: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); if (this.lastKeyPressedEvent) { // The compose key on Linux occasionally confuses the browser and keeps // inserting bogus characters into the input field, even if just a regular diff --git a/shellinabox/vt100.jspp b/shellinabox/vt100.jspp index 17aca71..49f0b94 100644 --- a/shellinabox/vt100.jspp +++ b/shellinabox/vt100.jspp @@ -1995,6 +1995,10 @@ VT100.prototype.handleKey = function(event) { } if (this.menu.style.visibility == 'hidden') { + // this.vt100('R: c='); + // for (var i = 0; i < ch.length; i++) + // this.vt100((i != 0 ? ', ' : '') + ch.charCodeAt(i)); + // this.vt100('\r\n'); this.keysPressed(ch); } }; @@ -2111,6 +2115,12 @@ VT100.prototype.fixEvent = function(event) { }; VT100.prototype.keyDown = function(event) { + // this.vt100('D: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); this.checkComposedKeys(event); this.lastKeyPressedEvent = undefined; this.lastKeyDownEvent = undefined; @@ -2196,6 +2206,12 @@ VT100.prototype.keyDown = function(event) { }; VT100.prototype.keyPressed = function(event) { + // this.vt100('P: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); if (this.lastKeyDownEvent) { // If we already processed the key on keydown, do not process it // again here. Ideally, the browser should not even have generated a @@ -2226,6 +2242,12 @@ VT100.prototype.keyPressed = function(event) { }; VT100.prototype.keyUp = function(event) { + // this.vt100('U: c=' + event.charCode + ', k=' + event.keyCode + + // (event.shiftKey || event.ctrlKey || event.altKey || + // event.metaKey ? ', ' + + // (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') + + // (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') + + // '\r\n'); if (this.lastKeyPressedEvent) { // The compose key on Linux occasionally confuses the browser and keeps // inserting bogus characters into the input field, even if just a regular