Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit43d09a5

Browse files
committed
fix(agent/agentssh): fix X11 forwarding by improving Xauthority management
Fixes#11531
1 parent6e5c2ef commit43d09a5

File tree

2 files changed

+396
-2
lines changed

2 files changed

+396
-2
lines changed

‎agent/agentssh/x11.go‎

Lines changed: 189 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"encoding/hex"
77
"errors"
88
"fmt"
9+
"io"
910
"net"
1011
"os"
1112
"path/filepath"
@@ -141,7 +142,7 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
141142
}
142143

143144
// Open or create the Xauthority file
144-
file,err:=fs.OpenFile(xauthPath,os.O_RDWR|os.O_CREATE|os.O_APPEND,0o600)
145+
file,err:=fs.OpenFile(xauthPath,os.O_RDWR|os.O_CREATE,0o600)
145146
iferr!=nil {
146147
returnxerrors.Errorf("failed to open Xauthority file: %w",err)
147148
}
@@ -153,7 +154,100 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
153154
returnxerrors.Errorf("failed to decode auth cookie: %w",err)
154155
}
155156

156-
// Write Xauthority entry
157+
// Read the Xauthority file and look for an existing entry for the host,
158+
// display, and auth protocol. If an entry is found, overwrite the auth
159+
// cookie (if it fits). Otherwise, mark the entry for deletion.
160+
typedeleteEntrystruct {
161+
start,endint64
162+
}
163+
vardeleteEntries []deleteEntry
164+
pos:=int64(0)
165+
updated:=false
166+
for {
167+
entry,err:=readXauthEntry(file)
168+
iferr!=nil {
169+
iferrors.Is(err,io.EOF) {
170+
break
171+
}
172+
returnxerrors.Errorf("failed to read Xauthority entry: %w",err)
173+
}
174+
175+
nextPos:=pos+int64(entry.Len())
176+
cookieStartPos:=nextPos-int64(len(entry.authCookie))
177+
178+
ifentry.family==0x0100&&entry.address==host&&entry.display==display&&entry.authProtocol==authProtocol {
179+
if!updated&&len(entry.authCookie)==len(authCookieBytes) {
180+
// Overwrite the auth cookie
181+
_,err:=file.WriteAt(authCookieBytes,cookieStartPos)
182+
iferr!=nil {
183+
returnxerrors.Errorf("failed to write auth cookie: %w",err)
184+
}
185+
updated=true
186+
}else {
187+
// Mark entry for deletion.
188+
iflen(deleteEntries)>0&&deleteEntries[len(deleteEntries)-1].end==pos {
189+
deleteEntries[len(deleteEntries)-1].end=nextPos
190+
}else {
191+
deleteEntries=append(deleteEntries,deleteEntry{
192+
start:pos,
193+
end:nextPos,
194+
})
195+
}
196+
}
197+
}
198+
199+
pos=nextPos
200+
}
201+
202+
// In case the magic cookie changed, or we've previously bloated the
203+
// Xauthority file, we may have to delete entries.
204+
iflen(deleteEntries)>0 {
205+
// Read the entire file into memory. This is not ideal, but it's the
206+
// simplest way to delete entries from the middle of the file. The
207+
// Xauthority file is small, so this should be fine.
208+
_,err=file.Seek(0,io.SeekStart)
209+
iferr!=nil {
210+
returnxerrors.Errorf("failed to seek Xauthority file: %w",err)
211+
}
212+
data,err:=io.ReadAll(file)
213+
iferr!=nil {
214+
returnxerrors.Errorf("failed to read Xauthority file: %w",err)
215+
}
216+
217+
// Delete the entries.
218+
for_,entry:=rangedeleteEntries {
219+
data=append(data[:entry.start],data[entry.end:]...)
220+
}
221+
222+
// Write the data back to the file.
223+
_,err=file.Seek(0,io.SeekStart)
224+
iferr!=nil {
225+
returnxerrors.Errorf("failed to seek Xauthority file: %w",err)
226+
}
227+
_,err=file.Write(data)
228+
iferr!=nil {
229+
returnxerrors.Errorf("failed to write Xauthority file: %w",err)
230+
}
231+
232+
// Truncate the file.
233+
err=file.Truncate(int64(len(data)))
234+
iferr!=nil {
235+
returnxerrors.Errorf("failed to truncate Xauthority file: %w",err)
236+
}
237+
}
238+
239+
// Return if we've already updated the entry.
240+
ifupdated {
241+
returnnil
242+
}
243+
244+
// Ensure we're at the end (append).
245+
_,err=file.Seek(0,io.SeekEnd)
246+
iferr!=nil {
247+
returnxerrors.Errorf("failed to seek Xauthority file: %w",err)
248+
}
249+
250+
// Append Xauthority entry.
157251
family:=uint16(0x0100)// FamilyLocal
158252
err=binary.Write(file,binary.BigEndian,family)
159253
iferr!=nil {
@@ -198,3 +292,96 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
198292

199293
returnnil
200294
}
295+
296+
// xauthEntry is an representation of an Xauthority entry.
297+
//
298+
// The Xauthority file format is as follows:
299+
//
300+
// - 16-bit family
301+
// - 16-bit address length
302+
// - address
303+
// - 16-bit display length
304+
// - display
305+
// - 16-bit auth protocol length
306+
// - auth protocol
307+
// - 16-bit auth cookie length
308+
// - auth cookie
309+
typexauthEntrystruct {
310+
familyuint16
311+
addressstring
312+
displaystring
313+
authProtocolstring
314+
authCookie []byte
315+
}
316+
317+
func (exauthEntry)Len()int {
318+
// 5 * uint16 = 10 bytes for the family/length fields.
319+
return2*5+len(e.address)+len(e.display)+len(e.authProtocol)+len(e.authCookie)
320+
}
321+
322+
funcreadXauthEntry(r io.Reader) (xauthEntry,error) {
323+
varentryxauthEntry
324+
325+
// Read family
326+
err:=binary.Read(r,binary.BigEndian,&entry.family)
327+
iferr!=nil {
328+
returnxauthEntry{},xerrors.Errorf("failed to read family: %w",err)
329+
}
330+
331+
// Read address
332+
varaddressLengthuint16
333+
err=binary.Read(r,binary.BigEndian,&addressLength)
334+
iferr!=nil {
335+
returnxauthEntry{},xerrors.Errorf("failed to read address length: %w",err)
336+
}
337+
338+
addressBytes:=make([]byte,addressLength)
339+
_,err=r.Read(addressBytes)
340+
iferr!=nil {
341+
returnxauthEntry{},xerrors.Errorf("failed to read address: %w",err)
342+
}
343+
entry.address=string(addressBytes)
344+
345+
// Read display
346+
vardisplayLengthuint16
347+
err=binary.Read(r,binary.BigEndian,&displayLength)
348+
iferr!=nil {
349+
returnxauthEntry{},xerrors.Errorf("failed to read display length: %w",err)
350+
}
351+
352+
displayBytes:=make([]byte,displayLength)
353+
_,err=r.Read(displayBytes)
354+
iferr!=nil {
355+
returnxauthEntry{},xerrors.Errorf("failed to read display: %w",err)
356+
}
357+
entry.display=string(displayBytes)
358+
359+
// Read auth protocol
360+
varauthProtocolLengthuint16
361+
err=binary.Read(r,binary.BigEndian,&authProtocolLength)
362+
iferr!=nil {
363+
returnxauthEntry{},xerrors.Errorf("failed to read auth protocol length: %w",err)
364+
}
365+
366+
authProtocolBytes:=make([]byte,authProtocolLength)
367+
_,err=r.Read(authProtocolBytes)
368+
iferr!=nil {
369+
returnxauthEntry{},xerrors.Errorf("failed to read auth protocol: %w",err)
370+
}
371+
entry.authProtocol=string(authProtocolBytes)
372+
373+
// Read auth cookie
374+
varauthCookieLengthuint16
375+
err=binary.Read(r,binary.BigEndian,&authCookieLength)
376+
iferr!=nil {
377+
returnxauthEntry{},xerrors.Errorf("failed to read auth cookie length: %w",err)
378+
}
379+
380+
entry.authCookie=make([]byte,authCookieLength)
381+
_,err=r.Read(entry.authCookie)
382+
iferr!=nil {
383+
returnxauthEntry{},xerrors.Errorf("failed to read auth cookie: %w",err)
384+
}
385+
386+
returnentry,nil
387+
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp