From 4b549144d82ea0f368321d149215f577049fffa6 Mon Sep 17 00:00:00 2001
From: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Sun, 15 Sep 2013 22:26:56 -0400
Subject: Verify validity of session name when received from outside

Only ASCII letters and digits are allowed.
---
 src/login/logind.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src/login/logind.c')

diff --git a/src/login/logind.c b/src/login/logind.c
index 9094567b8d..4ef92b8253 100644
--- a/src/login/logind.c
+++ b/src/login/logind.c
@@ -684,6 +684,12 @@ int manager_enumerate_sessions(Manager *m) {
                 if (!dirent_is_file(de))
                         continue;
 
+                if (!session_id_valid(de->d_name)) {
+                        log_warning("Invalid session file name '%s', ignoring.", de->d_name);
+                        r = -EINVAL;
+                        continue;
+                }
+
                 k = manager_add_session(m, de->d_name, &s);
                 if (k < 0) {
                         log_error("Failed to add session by file name %s: %s", de->d_name, strerror(-k));
-- 
cgit v1.2.3-54-g00ecf