Apply tcp forwarding restrictions to unix sockets too

HansH111 · Apr 3, 2024 · 796a89e · 796a89e
1 parent 1d5f63c
commit 796a89e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/manpages/dropbear.8 b/manpages/dropbear.8
@@ -58,7 +58,7 @@ Enable two-factor authentication. Both password login and public key authenticat
 required. Should not be used with the '-s' option.
 .TP
 .B \-j
-Disable local port forwarding.
+Disable local port forwarding. This includes unix stream forwards.
 .TP
 .B \-k
 Disable remote port forwarding.
@@ -136,7 +136,7 @@ Available restrictions are:
 
 .TP
 .B no-port-forwarding
-Don't allow port forwarding for this connection
+Don't allow port forwarding for this connection, including unix streams.
 
 .TP
 .B no-agent-forwarding

diff --git a/src/svr-tcpfwd.c b/src/svr-tcpfwd.c
@@ -346,6 +346,11 @@ static int newstreamlocal(struct Channel * channel) {
 
 	TRACE(("streamlocal channel %d", channel->index))
 
+	if (svr_opts.nolocaltcp || !svr_pubkey_allows_tcpfwd()) {
+		TRACE(("leave newstreamlocal: local unix forwarding disabled"))
+		goto out;
+	}
+
 	destsocket = buf_getstring(ses.payload, &len);
 	if (len > MAX_HOST_LEN) {
 		TRACE(("leave streamlocal: destsocket too long"))