From 0262cf31d3a63b8b406868ec905923705b025bc8 Mon Sep 17 00:00:00 2001
From: Mattias Andrée <maandree@operamail.com>
Date: Mon, 30 Sep 2013 01:09:23 +0200
Subject: patch security hole that allowed to to login as any user without
 password by using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mattias Andrée <maandree@operamail.com>
---
 got    |  2 ++
 got.py | 13 +++++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/got b/got
index 7c88461..65619f2 100755
--- a/got
+++ b/got
@@ -37,5 +37,7 @@ else
     echo -n 'Login: '
 fi
 
+tty_settings="$(stty --save)"
 "$0".py "$@" <> "/dev/${tty}" 2>&1
+stty "${tty_settings}"
 
diff --git a/got.py b/got.py
index ce2b403..850792e 100755
--- a/got.py
+++ b/got.py
@@ -19,10 +19,12 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 '''
 
 
-import sys
 import os
+import sys
+import time
 from subprocess import Popen
 
+
 for arg in sys.argv[1:]:
     if "=" in arg:
         os.putenv(arg.split("=")[0], "=".join(arg.split("=")[1:]))
@@ -30,10 +32,17 @@ for arg in sys.argv[1:]:
 def spawn(cmd):
     Popen(cmd, stdin = sys.stdin, stdout = sys.stdout, stderr = sys.stderr).wait()
 
+
 user = input()
 if "@" in user:
     os.putenv("GOT_COMMAND", "ssh " + user)
     spawn(["login", "-p", "-f", "sshlogin"])
 else:
-    spawn(["login"] + user.split(" "))
+    if user.startswith("-"):
+        spawn(["stty", "-icanon", "-echo", "-isig", "-ixon", "-ixoff", "-ixany"])
+        print("\033[01;31mNice try! Sleeping for 10 minutes...\033[00m")
+        for _ in range(10):
+            time.sleep(60 * 1000)
+    else:
+        spawn(["login", user])
 
-- 
cgit v1.2.3-70-g09d2