Fix CVE-2017-17459: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17459 Patch copied from upstream source repository: https://www.fossil-scm.org/xfer/info/1f63db591c77108c Index: src/http_transport.c ================================================================== --- src/http_transport.c +++ src/http_transport.c @@ -73,10 +73,23 @@ if( resetFlag ){ transport.nSent = 0; transport.nRcvd = 0; } } + +/* +** Remove leading "-" characters from the input string. +** +** This prevents attacks that try to trick a victim into using +** a ssh:// URI with a carefully crafted hostname of other +** parameter that ends up being interpreted as a command-line +** option by "ssh". +*/ +static const char *stripLeadingMinus(const char *z){ + while( z[0]=='-' ) z++; + return z; +} /* ** Default SSH command */ #ifdef _WIN32 @@ -116,17 +129,17 @@ }else{ zHost = mprintf("%s", pUrlData->name); } n = blob_size(&zCmd); blob_append(&zCmd, " ", 1); - shell_escape(&zCmd, zHost); + shell_escape(&zCmd, stripLeadingMinus(zHost)); blob_append(&zCmd, " ", 1); shell_escape(&zCmd, mprintf("%s", pUrlData->fossil)); blob_append(&zCmd, " test-http", 10); if( pUrlData->path && pUrlData->path[0] ){ blob_append(&zCmd, " ", 1); - shell_escape(&zCmd, mprintf("%s", pUrlData->path)); + shell_escape(&zCmd, mprintf("%s", stripLeadingMinus(pUrlData->path))); } if( g.fSshTrace ){ fossil_print("%s\n", blob_str(&zCmd)+n); /* Show tail of SSH command */ } free(zHost);