ssh: sanitize the banner displayed by BannerDisplayStderr#363
ssh: sanitize the banner displayed by BannerDisplayStderr#363CaptainTed1 wants to merge 1 commit into
Conversation
A malicious server can embed terminal control characters and escape sequences in the pre-authentication banner, which BannerDisplayStderr writes verbatim to stderr. Strip control characters, other than tab, carriage return, and newline, before displaying the banner, matching OpenSSH's behavior. Users who need the unfiltered banner can provide their own BannerCallback. Fixes golang/go#80302
|
This PR (HEAD: 2cc05fe) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/799920. Important tips:
|
|
Message from Gopher Robot: Patch Set 1: Congratulations on opening your first change. Thank you for your contribution! Next steps: Most changes in the Go project go through a few rounds of revision. This can be During May-July and Nov-Jan the Go project is in a code freeze, during which Please don’t reply on this GitHub thread. Visit golang.org/cl/799920. |
A malicious server can embed terminal control characters and escape
sequences in the pre-authentication banner, which BannerDisplayStderr
writes verbatim to stderr. Strip control characters, other than tab,
carriage return, and newline, before displaying the banner, matching
OpenSSH's behavior. Users who need the unfiltered banner can provide
their own BannerCallback.
Fixes golang/go#80302