commit 3eec6b73a2c446225fce546d61d83cfc695fbaa0
author Damien Miller <djm@mindrot.org> Tue Jan 31 21:49:27 2006 +1100
committer Damien Miller <djm@mindrot.org> Tue Jan 31 21:49:27 2006 +1100
tree 425fe13ba7b751c6d9878eb592e2d6a014a468bd
parent b5dd55cccc7096d3db59378bba44920183f34110

   - djm@cvs.openbsd.org 2006/01/31 10:19:02
     [misc.c misc.h scp.c sftp.c]
     fix local arbitrary command execution vulnerability on local/local and
     remote/remote copies (CVE-2006-0225, bz #1094), patch by
     t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@

sftp.c

diff --git a/sftp.c b/sftp.c
index 24f6dc5..a2e3f6a 100644
--- a/sftp.c
+++ b/sftp.c
@@ -16,7 +16,7 @@
 
 #include "includes.h"
 
-RCSID("$OpenBSD: sftp.c,v 1.69 2005/12/06 22:38:27 reyk Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $");
 
 #ifdef USE_LIBEDIT
 #include <histedit.h>
@@ -1453,8 +1453,9 @@
 	sanitise_stdfd();
 
 	__progname = ssh_get_progname(argv[0]);
+	memset(&args, '\0', sizeof(args));
 	args.list = NULL;
-	addargs(&args, "ssh");		/* overwritten with ssh_program */
+	addargs(&args, ssh_program);
 	addargs(&args, "-oForwardX11 no");
 	addargs(&args, "-oForwardAgent no");
 	addargs(&args, "-oPermitLocalCommand no");
@@ -1489,6 +1490,7 @@
 			break;
 		case 'S':
 			ssh_program = optarg;
+			replacearg(&args, 0, "%s", ssh_program);
 			break;
 		case 'b':
 			if (batchmode)
@@ -1565,7 +1567,6 @@
 		addargs(&args, "%s", host);
 		addargs(&args, "%s", (sftp_server != NULL ?
 		    sftp_server : "sftp"));
-		args.list[0] = ssh_program;
 
 		if (!batchmode)
 			fprintf(stderr, "Connecting to %s...\n", host);
@@ -1578,6 +1579,7 @@
 			fprintf(stderr, "Attaching to %s...\n", sftp_direct);
 		connect_to_server(sftp_direct, args.list, &in, &out);
 	}
+	freeargs(&args);
 
 	err = interactive_loop(in, out, file1, file2);