go-gitea

History

Hugo Landau 4a6466cca5 Remove environment variable parsing from SSH server This removes the environment variable parsing code from the SSH server, which never worked in the first place. Since environment variable passing doesn't appear to be necessary for the built-in SSH server to work properly, it's removed to reduce attack surface rather than fixing it. The current code processes (untrusted) input in a buggy manner and passes it to a process invocation which doesn't actually do anything. I don't think this is an exploitable vulnerability but I haven't looked at it in detail, and it wouldn't really surprise me if it was. Closes #1935, an alternative proposal which which partially fixes the environment variable handling but ultimately still leaves it broken. Signed-off-by: Hugo Landau <hlandau@devever.net>	2018-06-17 23:14:23 +01:00
..
ssh.go	Remove environment variable parsing from SSH server	2018-06-17 23:14:23 +01:00

Remove environment variable parsing from SSH server

This removes the environment variable parsing code from the SSH server,
which never worked in the first place. Since environment variable
passing doesn't appear to be necessary for the built-in SSH server to
work properly, it's removed to reduce attack surface rather than fixing
it.

The current code processes (untrusted) input in a buggy manner and
passes it to a process invocation which doesn't actually do anything. I
don't *think* this is an exploitable vulnerability but I haven't looked
at it in detail, and it wouldn't really surprise me if it was.

Closes #1935, an alternative proposal which which partially fixes the
environment variable handling but ultimately still leaves it broken.

Signed-off-by: Hugo Landau <hlandau@devever.net>

2018-06-17 23:14:23 +01:00

ssh.go

Remove environment variable parsing from SSH server

2018-06-17 23:14:23 +01:00