Sanitize the SSH command line a little more.

Show the real host name in the SSH password prompt, if available.
Add some commented-out debugging helpers for tracking down problems with non-US keyboards. 


git-svn-id: https://shellinabox.googlecode.com/svn/trunk@164 0da03de8-d603-11dd-86c2-0f8696b7b6f9
This commit is contained in:
zodiac 2009-08-09 19:08:40 +00:00
parent 2d226f5b53
commit e78b94961c
9 changed files with 122 additions and 9 deletions

View file

@ -138,7 +138,7 @@
#define STDC_HEADERS 1 #define STDC_HEADERS 1
/* Most recent revision number in the version control system */ /* Most recent revision number in the version control system */
#define VCS_REVISION "163" #define VCS_REVISION "164"
/* Version number of package */ /* Version number of package */
#define VERSION "2.9" #define VERSION "2.9"

2
configure vendored
View file

@ -2317,7 +2317,7 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $
ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_compiler_gnu=$ac_cv_c_compiler_gnu
VCS_REVISION=163 VCS_REVISION=164
cat >>confdefs.h <<_ACEOF cat >>confdefs.h <<_ACEOF

View file

@ -2,7 +2,7 @@ AC_PREREQ(2.57)
dnl This is the one location where the authoritative version number is stored dnl This is the one location where the authoritative version number is stored
AC_INIT(shellinabox, 2.9, markus@shellinabox.com) AC_INIT(shellinabox, 2.9, markus@shellinabox.com)
VCS_REVISION=163 VCS_REVISION=164
AC_SUBST(VCS_REVISION) AC_SUBST(VCS_REVISION)
AC_DEFINE_UNQUOTED(VCS_REVISION, "${VCS_REVISION}", AC_DEFINE_UNQUOTED(VCS_REVISION, "${VCS_REVISION}",
[Most recent revision number in the version control system]) [Most recent revision number in the version control system])

View file

@ -1693,7 +1693,7 @@ VT100.prototype.toggleBell = function() {
}; };
VT100.prototype.about = function() { VT100.prototype.about = function() {
alert("VT100 Terminal Emulator " + "2.9 (revision 163)" + alert("VT100 Terminal Emulator " + "2.9 (revision 164)" +
"\nCopyright 2008-2009 by Markus Gutschke\n" + "\nCopyright 2008-2009 by Markus Gutschke\n" +
"For more information check http://shellinabox.com"); "For more information check http://shellinabox.com");
}; };
@ -1995,6 +1995,10 @@ VT100.prototype.handleKey = function(event) {
} }
if (this.menu.style.visibility == 'hidden') { if (this.menu.style.visibility == 'hidden') {
// this.vt100('R: c=');
// for (var i = 0; i < ch.length; i++)
// this.vt100((i != 0 ? ', ' : '') + ch.charCodeAt(i));
// this.vt100('\r\n');
this.keysPressed(ch); this.keysPressed(ch);
} }
}; };
@ -2111,6 +2115,12 @@ VT100.prototype.fixEvent = function(event) {
}; };
VT100.prototype.keyDown = function(event) { VT100.prototype.keyDown = function(event) {
// this.vt100('D: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
this.checkComposedKeys(event); this.checkComposedKeys(event);
this.lastKeyPressedEvent = undefined; this.lastKeyPressedEvent = undefined;
this.lastKeyDownEvent = undefined; this.lastKeyDownEvent = undefined;
@ -2196,6 +2206,12 @@ VT100.prototype.keyDown = function(event) {
}; };
VT100.prototype.keyPressed = function(event) { VT100.prototype.keyPressed = function(event) {
// this.vt100('P: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
if (this.lastKeyDownEvent) { if (this.lastKeyDownEvent) {
// If we already processed the key on keydown, do not process it // If we already processed the key on keydown, do not process it
// again here. Ideally, the browser should not even have generated a // again here. Ideally, the browser should not even have generated a
@ -2226,6 +2242,12 @@ VT100.prototype.keyPressed = function(event) {
}; };
VT100.prototype.keyUp = function(event) { VT100.prototype.keyUp = function(event) {
// this.vt100('U: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
if (this.lastKeyPressedEvent) { if (this.lastKeyPressedEvent) {
// The compose key on Linux occasionally confuses the browser and keeps // The compose key on Linux occasionally confuses the browser and keeps
// inserting bogus characters into the input field, even if just a regular // inserting bogus characters into the input field, even if just a regular

View file

@ -772,6 +772,8 @@ static pam_handle_t *internalLogin(struct Service *service, struct Utmp *utmp,
check(!uname(&uts)); check(!uname(&uts));
hostname = uts.nodename; hostname = uts.nodename;
} }
const char *fqdn;
check(fqdn = strdup(hostname));
check(hostname = strdup(hostname)); check(hostname = strdup(hostname));
char *dot = strchr(hostname, '.'); char *dot = strchr(hostname, '.');
if (dot) { if (dot) {
@ -785,14 +787,45 @@ static pam_handle_t *internalLogin(struct Service *service, struct Utmp *utmp,
char *user = NULL; char *user = NULL;
char *prompt; char *prompt;
check(prompt = stringPrintf(NULL, "%s login: ", hostname)); check(prompt = stringPrintf(NULL, "%s login: ", hostname));
for (;;) {
if (read_string(1, prompt, &user) <= 0) { if (read_string(1, prompt, &user) <= 0) {
free(user); free(user);
free(prompt); free(prompt);
_exit(1); _exit(1);
} }
if (*user) {
for (char *u = user; *u; u++) {
char ch = *u;
if (!((ch >= '0' && ch <= '9') ||
(ch >= 'A' && ch <= 'Z') ||
(ch >= 'a' && ch <= 'z') ||
ch == '-' || ch == '_' || ch == '.')) {
goto invalid_user_name;
}
}
break;
}
invalid_user_name:
free(user);
user = NULL;
}
free(prompt); free(prompt);
char *cmdline = stringPrintf(NULL, service->cmdline, user); char *cmdline = stringPrintf(NULL, service->cmdline, user);
free(user); free(user);
// Replace '@localhost' with the actual host name. This results in a nicer
// prompt when SSH asks for the password.
char *ptr = strrchr(cmdline, '@');
if (!strcmp(ptr + 1, "localhost")) {
int offset = ptr + 1 - cmdline;
check(cmdline = realloc(cmdline,
strlen(cmdline) + strlen(fqdn) -
strlen("localhost") + 1));
ptr = cmdline + offset;
*ptr = '\000';
strncat(ptr, fqdn, strlen(fqdn));
}
free((void *)service->cmdline); free((void *)service->cmdline);
service->cmdline = cmdline; service->cmdline = cmdline;
@ -892,6 +925,7 @@ static pam_handle_t *internalLogin(struct Service *service, struct Utmp *utmp,
pw = getPWEnt(service->uid); pw = getPWEnt(service->uid);
#endif #endif
} }
free((void *)fqdn);
free((void *)hostname); free((void *)hostname);
if (restricted && if (restricted &&

View file

@ -124,6 +124,19 @@ void initService(struct Service *service, const char *arg) {
free(ptr); free(ptr);
} }
} }
// Don't allow manipulation of the SSH command line through "creative" use
// of the host name.
for (char *h = host; *h; h++) {
char ch = *h;
if (!((ch >= '0' && ch <= '9') ||
(ch >= 'A' && ch <= 'Z') ||
(ch >= 'a' && ch <= 'z') ||
ch == '-' || ch == '.')) {
fatal("Invalid hostname \"%s\" in service definition", host);
}
}
service->cmdline = stringPrintf(NULL, service->cmdline = stringPrintf(NULL,
"ssh -a -e none -i /dev/null -x -oChallengeResponseAuthentication=no " "ssh -a -e none -i /dev/null -x -oChallengeResponseAuthentication=no "
"-oCheckHostIP=no -oClearAllForwardings=yes -oCompression=no " "-oCheckHostIP=no -oClearAllForwardings=yes -oCompression=no "

View file

@ -355,7 +355,7 @@ ShellInABox.prototype.extendContextMenu = function(entries, actions) {
}; };
ShellInABox.prototype.about = function() { ShellInABox.prototype.about = function() {
alert("Shell In A Box version " + "2.9 (revision 163)" + alert("Shell In A Box version " + "2.9 (revision 164)" +
"\nCopyright 2008-2009 by Markus Gutschke\n" + "\nCopyright 2008-2009 by Markus Gutschke\n" +
"For more information check http://shellinabox.com" + "For more information check http://shellinabox.com" +
(typeof serverSupportsSSL != 'undefined' && serverSupportsSSL ? (typeof serverSupportsSSL != 'undefined' && serverSupportsSSL ?

View file

@ -1693,7 +1693,7 @@ VT100.prototype.toggleBell = function() {
}; };
VT100.prototype.about = function() { VT100.prototype.about = function() {
alert("VT100 Terminal Emulator " + "2.9 (revision 163)" + alert("VT100 Terminal Emulator " + "2.9 (revision 164)" +
"\nCopyright 2008-2009 by Markus Gutschke\n" + "\nCopyright 2008-2009 by Markus Gutschke\n" +
"For more information check http://shellinabox.com"); "For more information check http://shellinabox.com");
}; };
@ -1995,6 +1995,10 @@ VT100.prototype.handleKey = function(event) {
} }
if (this.menu.style.visibility == 'hidden') { if (this.menu.style.visibility == 'hidden') {
// this.vt100('R: c=');
// for (var i = 0; i < ch.length; i++)
// this.vt100((i != 0 ? ', ' : '') + ch.charCodeAt(i));
// this.vt100('\r\n');
this.keysPressed(ch); this.keysPressed(ch);
} }
}; };
@ -2111,6 +2115,12 @@ VT100.prototype.fixEvent = function(event) {
}; };
VT100.prototype.keyDown = function(event) { VT100.prototype.keyDown = function(event) {
// this.vt100('D: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
this.checkComposedKeys(event); this.checkComposedKeys(event);
this.lastKeyPressedEvent = undefined; this.lastKeyPressedEvent = undefined;
this.lastKeyDownEvent = undefined; this.lastKeyDownEvent = undefined;
@ -2196,6 +2206,12 @@ VT100.prototype.keyDown = function(event) {
}; };
VT100.prototype.keyPressed = function(event) { VT100.prototype.keyPressed = function(event) {
// this.vt100('P: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
if (this.lastKeyDownEvent) { if (this.lastKeyDownEvent) {
// If we already processed the key on keydown, do not process it // If we already processed the key on keydown, do not process it
// again here. Ideally, the browser should not even have generated a // again here. Ideally, the browser should not even have generated a
@ -2226,6 +2242,12 @@ VT100.prototype.keyPressed = function(event) {
}; };
VT100.prototype.keyUp = function(event) { VT100.prototype.keyUp = function(event) {
// this.vt100('U: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
if (this.lastKeyPressedEvent) { if (this.lastKeyPressedEvent) {
// The compose key on Linux occasionally confuses the browser and keeps // The compose key on Linux occasionally confuses the browser and keeps
// inserting bogus characters into the input field, even if just a regular // inserting bogus characters into the input field, even if just a regular

View file

@ -1995,6 +1995,10 @@ VT100.prototype.handleKey = function(event) {
} }
if (this.menu.style.visibility == 'hidden') { if (this.menu.style.visibility == 'hidden') {
// this.vt100('R: c=');
// for (var i = 0; i < ch.length; i++)
// this.vt100((i != 0 ? ', ' : '') + ch.charCodeAt(i));
// this.vt100('\r\n');
this.keysPressed(ch); this.keysPressed(ch);
} }
}; };
@ -2111,6 +2115,12 @@ VT100.prototype.fixEvent = function(event) {
}; };
VT100.prototype.keyDown = function(event) { VT100.prototype.keyDown = function(event) {
// this.vt100('D: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
this.checkComposedKeys(event); this.checkComposedKeys(event);
this.lastKeyPressedEvent = undefined; this.lastKeyPressedEvent = undefined;
this.lastKeyDownEvent = undefined; this.lastKeyDownEvent = undefined;
@ -2196,6 +2206,12 @@ VT100.prototype.keyDown = function(event) {
}; };
VT100.prototype.keyPressed = function(event) { VT100.prototype.keyPressed = function(event) {
// this.vt100('P: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
if (this.lastKeyDownEvent) { if (this.lastKeyDownEvent) {
// If we already processed the key on keydown, do not process it // If we already processed the key on keydown, do not process it
// again here. Ideally, the browser should not even have generated a // again here. Ideally, the browser should not even have generated a
@ -2226,6 +2242,12 @@ VT100.prototype.keyPressed = function(event) {
}; };
VT100.prototype.keyUp = function(event) { VT100.prototype.keyUp = function(event) {
// this.vt100('U: c=' + event.charCode + ', k=' + event.keyCode +
// (event.shiftKey || event.ctrlKey || event.altKey ||
// event.metaKey ? ', ' +
// (event.shiftKey ? 'S' : '') + (event.ctrlKey ? 'C' : '') +
// (event.altKey ? 'A' : '') + (event.metaKey ? 'M' : '') : '') +
// '\r\n');
if (this.lastKeyPressedEvent) { if (this.lastKeyPressedEvent) {
// The compose key on Linux occasionally confuses the browser and keeps // The compose key on Linux occasionally confuses the browser and keeps
// inserting bogus characters into the input field, even if just a regular // inserting bogus characters into the input field, even if just a regular