# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-05-15 16:51:38
# Node ID 2362c2cab8871751d40b46caed3940363d7a4771
# Parent  76adc0c837e70c8794eac1b923aa211649e62220

ssh(sec): fix newline problem on key saving that would allow bypassing command sandbox.

diff --git a/rhodecode/apps/ssh_support/utils.py b/rhodecode/apps/ssh_support/utils.py
--- a/rhodecode/apps/ssh_support/utils.py
+++ b/rhodecode/apps/ssh_support/utils.py
@@ -84,16 +84,22 @@ def _generate_ssh_authorized_keys_file(
     for user_key in all_active_keys:
         username = user_key.user.username
         user_id = user_key.user.user_id
+        # replace all newline from ends and inside
+        safe_key_data = user_key.ssh_key_data\
+            .strip()\
+            .replace('\n', ' ')\
+            .replace('\r', ' ')
 
-        keys_file.write(
-            line_tmpl.format(
-                ssh_opts=ssh_opts or SSH_OPTS,
-                wrapper_command=ssh_wrapper_cmd,
-                ini_path=ini_path,
-                user_id=user_id,
-                user=username,
-                user_key_id=user_key.ssh_key_id,
-                key=user_key.ssh_key_data))
+        line = line_tmpl.format(
+            ssh_opts=ssh_opts or SSH_OPTS,
+            wrapper_command=ssh_wrapper_cmd,
+            ini_path=ini_path,
+            user_id=user_id,
+            user=username,
+            user_key_id=user_key.ssh_key_id,
+            key=safe_key_data)
+
+        keys_file.write(line)
         log.debug('addkey: Key added for user: `%s`', username)
     keys_file.close()
 
diff --git a/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako b/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako
--- a/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako
+++ b/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako
@@ -8,13 +8,13 @@
         </p>
         <h4>${_('Private key')}</h4>
         <pre>
-# Save the content as
-# Windows: /Users/<username>/.ssh/id_rsa_rhodecode_access_priv.key
-# macOS: /Users/<yourname>/.ssh/id_rsa_rhodecode_access_priv.key
-# Linux: /home/<username>/.ssh/id_rsa_rhodecode_access_priv.key
+# Save the below content as
+# Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_priv.key
+# macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_priv.key
+# Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
 
 # Change permissions to 0600 to make it secure, and usable.
-e.g chmod 0600 /home/<username>/.ssh/id_rsa_rhodecode_access_priv.key
+e.g chmod 0600 /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
         </pre>
 
         <div>
@@ -24,10 +24,10 @@ e.g chmod 0600 /home/<username>/.ssh/id_
 
         <h4>${_('Public key')}</h4>
         <pre>
-# Save the content as
-# Windows: /Users/<username>/.ssh/id_rsa_rhodecode_access_pub.key
-# macOS: /Users/<yourname>/.ssh/id_rsa_rhodecode_access_pub.key
-# Linux: /home/<username>/.ssh/id_rsa_rhodecode_access_pub.key
+# Save the below content as
+# Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_pub.key
+# macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_pub.key
+# Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_pub.key
         </pre>
 
         <input type="text" value="${c.public}" class="large text" size="100"/>