patch security hole that allowed to to login as any user without password by using -f

Signed-off-by: Mattias Andrée <maandree@operamail.com>

2 files changed, 13 insertions, 2 deletions

diff --git a/got b/got
index 7c88461..65619f2 100755
--- a/got
+++ b/got
@@ -37,5 +37,7 @@ else
     echo -n 'Login: '
 fi
 
+tty_settings="$(stty --save)"
 "$0".py "$@" <> "/dev/${tty}" 2>&1
+stty "${tty_settings}"
 
diff --git a/got.py b/got.py
index ce2b403..850792e 100755
--- a/got.py
+++ b/got.py
@@ -19,10 +19,12 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 '''
 
 
-import sys
 import os
+import sys
+import time
 from subprocess import Popen
 
+
 for arg in sys.argv[1:]:
     if "=" in arg:
         os.putenv(arg.split("=")[0], "=".join(arg.split("=")[1:]))
@@ -30,10 +32,17 @@ for arg in sys.argv[1:]:
 def spawn(cmd):
     Popen(cmd, stdin = sys.stdin, stdout = sys.stdout, stderr = sys.stderr).wait()
 
+
 user = input()
 if "@" in user:
     os.putenv("GOT_COMMAND", "ssh " + user)
     spawn(["login", "-p", "-f", "sshlogin"])
 else:
-    spawn(["login"] + user.split(" "))
+    if user.startswith("-"):
+        spawn(["stty", "-icanon", "-echo", "-isig", "-ixon", "-ixoff", "-ixany"])
+        print("\033[01;31mNice try! Sleeping for 10 minutes...\033[00m")
+        for _ in range(10):
+            time.sleep(60 * 1000)
+    else:
+        spawn(["login", user])