From 3991a0cf947cf3ae0f0373bcec5a90e86a7152f5 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 17 Sep 2022 10:11:29 +0000 Subject: [PATCH] upstream: actually hook up restrict_websafe; the command-line flag was never actually used. Spotted by Matthew Garrett OpenBSD-Commit-ID: 0b363518ac4c2819dbaa3dfad4028633ab9cdff1 --- ssh-agent.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ssh-agent.c b/ssh-agent.c index 0aef07eb5..006ddad94 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-agent.c,v 1.291 2022/09/14 00:13:13 djm Exp $ */ +/* $OpenBSD: ssh-agent.c,v 1.292 2022/09/17 10:11:29 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -808,7 +808,8 @@ process_sign_request2(SocketEntry *e) goto send; } if (sshkey_is_sk(id->key)) { - if (strncmp(id->key->sk_application, "ssh:", 4) != 0 && + if (restrict_websafe && + strncmp(id->key->sk_application, "ssh:", 4) != 0 && !check_websafe_message_contents(key, data)) { /* error already logged */ goto send;