From 909bc43e70c126c93951bb16bd9deb96430fe3ad Mon Sep 17 00:00:00 2001
From: Sitaram Chamarty <sitaram@atc.tcs.com>
Date: Sat, 1 Oct 2011 13:02:23 +0530
Subject: [PATCH] don't allow newlines in ssh command

(again, thanks to Dan Carpenter for catching this)
---
 src/gl-auth-command | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gl-auth-command b/src/gl-auth-command
index 61b2f5a..990a604 100755
--- a/src/gl-auth-command
+++ b/src/gl-auth-command
@@ -93,6 +93,10 @@ unless ($ENV{SSH_ORIGINAL_COMMAND}) {
     $ENV{SSH_ORIGINAL_COMMAND} = 'info';
 }
 
+# quick sanity check for newlines; could be used to create fake log entries.
+# Not an access violation but possibly an audit/compliance reporting violation
+die "I don't like newlines in the command: $ENV{SSH_ORIGINAL_COMMAND}\n" if $ENV{SSH_ORIGINAL_COMMAND} =~ /[\n\r]/;
+
 # admin defined commands; please see doc/admin-defined-commands.mkd
 if ($GL_ADC_PATH and -d $GL_ADC_PATH) {
     try_adc();  # if it succeeds, this also 'exec's out