svr_getopts should either support bundling or fail if bundling is used
Guilhem Moulin
guilhem at fripost.org
Wed Oct 14 03:13:31 AWST 2015
Hi,
It's fine not to implement bundling in dropbear's option parsing
function (svr-runopts.c's svr_getopts), but it should at least croak if
argv[i][2] != '\0'. For instance
dropbear -rdropbear.key -p127.0.0.1:2222 -sjk
should either fail, or be parsed as
dropbear -r dropbear.key -p 127.0.0.1:2222 -s -j -k
if bundling is allowed.
This might have security implications, as the current parsing mechanism
might make a user think that passing ‘-sjk’ disables port forwarding,
which is not the case (the trailing ‘jk’ is ignored).
Cheers,
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20151013/06af2fd0/attachment.sig
More information about the Dropbear
mailing list