From owner-freebsd-security  Mon Oct 30 13:36:12 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id NAA17692
          for security-outgoing; Mon, 30 Oct 1995 13:36:12 -0800
Received: from gvr.win.tue.nl (gvr.win.tue.nl [131.155.210.19])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id NAA17679
          for <freebsd-security@freebsd.org>; Mon, 30 Oct 1995 13:36:00 -0800
Received: by gvr.win.tue.nl (8.6.10/1.53)
    id WAA00821; Mon, 30 Oct 1995 22:35:21 +0100
From: guido@gvr.win.tue.nl (Guido van Rooij)
Message-Id: <199510302135.WAA00821@gvr.win.tue.nl>
Subject: rlogind patch revisited
To: freebsd-security@freebsd.org
Date: Mon, 30 Oct 1995 22:35:21 +0100 (MET)
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Content-Length: 653       
Sender: owner-security@freebsd.org
Precedence: bulk

There is this already old p[atch for rlogind:

revision 1.2
date: 1994/08/15 19:44:50;  author: guido;  state: Exp;  lines: +5 -0
Plug security hole that was already fixed in 1.1. It prevents
user from specifying their hostname when rlogin()-ing in
(using rlogin -f-h<host>)

Reviewed by:
Submitted by:
----------------------------

this is solved by doing a strstr on the username provided. this prevends
usernames like "this-one" to give troubles.

I think just checking the first character for a "-" will be enough.
(even space or tabs won't have to be skipped as the username is
fed directly as an argument in execl())

What's your opinion?

-Guido