From ca913af6cda4f29c7f1189b47ecc040016dba95b Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Sat, 5 Mar 2011 05:41:21 +0530 Subject: [PATCH] for cool 'cat's who use 'putty' :-) ryan-c on #gitolite (ryan.castellucci@gmail.com) found that if a user types in ssh git@server `echo -e "\033[2J"` or eqvt, he can get raw ASCII control characters into gitolite's log file. Then if a gitolite admin 'cat's the log file (instead of using a pager, or uses a pager in raw mode like 'less -r'), those control characters hit his screen and do stuff. While clearing the screen etc is probably harmless and I would not have bothered, we know that the old vt100 would allow the keyboard to be remapped by the server sending control codes, and we're not really sure which of the currently in use terminals emulate this. And finally, I found somewhere that "PuTTY allows the server to send control codes that let it take over the mouse". Scary... (...of course, I hate putty/plink so I was sorely tempted to leave this as is to punish people who use it but not really; I'd joke about it but won't actually *do* it!) --- src/gitolite.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/gitolite.pm b/src/gitolite.pm index 417a100..c0581c8 100644 --- a/src/gitolite.pm +++ b/src/gitolite.pm @@ -125,6 +125,8 @@ sub log_it { $logmsg = $_[0] || $ENV{SSH_ORIGINAL_COMMAND}; shift; # the rest of it upto the caller; we just dump it into the logfile $logmsg .= "\t@_" if @_; + # erm... this is hard to explain so just see the commit message ok? + $logmsg =~ s/([\x00-\x08\x0A-\x1F\x7F-\xFF]+)/sprintf "<>","",$1/ge; print $log_fh "$ENV{GL_TS}\t$ENV{GL_USER}\t$ip\t$logmsg\n"; close $log_fh or die "close log failed: $!\n"; }