From 2d3ab5df3d3a14c449286b2716ad1c49adf32f83 Mon Sep 17 00:00:00 2001 From: Leon Klingele Date: Fri, 18 May 2018 17:18:41 +0200 Subject: [PATCH] server/user-create: Disallow single and double quotes in SSH key --- server/git-shell-commands/user-create | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server/git-shell-commands/user-create b/server/git-shell-commands/user-create index 3c84c40..44ddc86 100755 --- a/server/git-shell-commands/user-create +++ b/server/git-shell-commands/user-create @@ -34,6 +34,11 @@ if [ -z "$PUBLIC_KEY" ]; then exit 1 fi +if (echo "$PUBLIC_KEY" | grep -xPq '^.*(\047|\042).*$'); then + echo 'Disallowed characters in public key. Disallowed: '"'"', "' + exit 1 +fi + # TODO(leon): Do we want to validate ssh-key type (e.g. rsa / ed25519 / ..)? case "$PUBLIC_KEY" in 'ssh-'*)