[security] MAJOR issue: catch ctrl escapes (Closes #149)

The was a major security issue with lshell that allows any user to escape from lshell into bash (or any other available shell. This was done by typing <CTRL-V><CTRL-J>bash after any allowed command. For example: ~$ echo<CTRL-V><CTRL-J>bash Thanks Vladislav Yarmak (@Snawoot) for reporting this major issue!
ghantoos · Aug 22, 2016 · e72dfcd · e72dfcd
1 parent af8a24b
commit e72dfcd
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/lshell/sec.py b/lshell/sec.py
@@ -156,7 +156,7 @@ def check_secure(line, conf, strict=None, ssh=None):
     oline = line
 
     # strip all spaces/tabs
-    line = " ".join(line.split())
+    line = line.strip()
 
     # init return code
     returncode = 0

diff --git a/test/test_functional.py b/test/test_functional.py
@@ -384,6 +384,23 @@ def test_27_checksecure_awk(self):
 
         self.assertEqual(expected, result)
 
+    def test_28_catch_lnext_terminal_ctrl(self):
+        """ F25 | test ctrl-v ctrl-j then command, forbidden/security """
+        self.child = pexpect.spawn('%s/bin/lshell '
+                                   '--config %s/etc/lshell.conf '
+                                   % (TOPDIR, TOPDIR))
+        self.child.expect('%s:~\$' % self.user)
+
+        expected = u'*** forbidden syntax: echo\r'
+        self.child.send('echo')
+        self.child.sendcontrol('v')
+        self.child.sendcontrol('j')
+        self.child.sendline('bash')
+        self.child.expect('%s:~\$' % self.user)
+
+        result = self.child.before.decode('utf8').split('\n')
+
+        self.assertIn(expected, result)
 
 if __name__ == '__main__':
     unittest.main()