debian/0000775000000000000000000000000012757411752007203 5ustar debian/README.available0000664000000000000000000000146311735245402011776 0ustar This directory contains all of the available user CSS style sheets. These options will show up in the right click context menu. In order to en-/disable the availability of options, add/remove the appropriate symbolic link in "/etc/shellinabox/options-enabled" and restart the daemon with "sudo /etc/init.d/shellinabox restart". All options are of the form "ID_Name of Option.css". Any options with identical IDs will be put into the same option group. They are mutually exclusive and only one such option can be selected at any given time. Please note that ':', ',', and ';' are all invalid characters in option names. Options that should be turned on by default have the "_" character replaced with a "+" character. In any group of mutually exclusive options, there must be exactly one option that is turned on. debian/compat0000664000000000000000000000000211737463645010406 0ustar 8 debian/watch0000664000000000000000000000013611737463645010241 0ustar version=3 https://code.google.com/p/shellinabox/downloads/detail?name=shellinabox-(.+).tar.gz debian/shellinabox.examples0000664000000000000000000000004011735245402013235 0ustar shellinabox/cgi-mode-example.sh debian/patches/0000775000000000000000000000000012757410443010626 5ustar debian/patches/series0000664000000000000000000000002412757145722012044 0ustar CVE-2015-8400.patch debian/patches/CVE-2015-8400.patch0000664000000000000000000001162312757410411013240 0ustar Description: Disable HTTP fallback via "/plain" URL (CVE-2015-8400) * Disabled all methods of HTTP fallback when HTTPS is enabled. This is enforced on server side so that even modified client code (JS) can not redirect client from HTTPS to HTTP, like it was possible before (issue #355). * Current solution unfortunately also disables automatic upgrade from HTTP to HTTPS (when available), since all non-SSL connections are droped immediately. Origin: upstream, https://github.com/shellinabox/shellinabox/commit/4aa0eb97e4c90490a9c84a0d8bd57cd22572c37a Bug: https://github.com/shellinabox/shellinabox/issues/355 Last-Update: 2016-08-24 --- shellinabox-2.14.orig/libhttp/http.h +++ shellinabox-2.14/libhttp/http.h @@ -102,7 +102,7 @@ short serverConnectionSetEvents(Server * void serverExitLoop(Server *server, int exitAll); void serverLoop(Server *server); int serverSupportsSSL(); -void serverEnableSSL(Server *server, int flag); +void serverSetupSSL(Server *server, int enable, int force); void serverSetCertificate(Server *server, const char *filename, int autoGenerateMissing); void serverSetCertificateFd(Server *server, int fd); --- shellinabox-2.14.orig/libhttp/httpconnection.c +++ shellinabox-2.14/libhttp/httpconnection.c @@ -1484,6 +1484,14 @@ int httpHandleConnection(struct ServerCo *events |= POLLIN; continue; } + } else { + if (http->ssl && http->ssl->enabled && http->ssl->force) { + debug("[http] Non-SSL connections not allowed!"); + httpCloseRead(http); + bytes = 0; + eof = 1; + } + } } --- shellinabox-2.14.orig/libhttp/server.c +++ shellinabox-2.14/libhttp/server.c @@ -611,11 +611,12 @@ void serverLoop(struct Server *server) { server->looping = loopDepth - 1; } -void serverEnableSSL(struct Server *server, int flag) { - if (flag) { +void serverSetupSSL(struct Server *server, int enable, int force) { + if (enable) { check(serverSupportsSSL()); } - sslEnable(&server->ssl, flag); + sslEnable(&server->ssl, enable); + sslForce(&server->ssl, force); } void serverSetCertificate(struct Server *server, const char *filename, --- shellinabox-2.14.orig/libhttp/server.h +++ shellinabox-2.14/libhttp/server.h @@ -113,7 +113,7 @@ short serverConnectionSetEvents(struct S short events); void serverExitLoop(struct Server *server, int exitAll); void serverLoop(struct Server *server); -void serverEnableSSL(struct Server *server, int flag); +void serverSetupSSL(struct Server *server, int enable, int force); void serverSetCertificate(struct Server *server, const char *filename, int autoGenerateMissing); void serverSetCertificateFd(struct Server *server, int fd); --- shellinabox-2.14.orig/libhttp/ssl.c +++ shellinabox-2.14/libhttp/ssl.c @@ -160,6 +160,7 @@ struct SSLSupport *newSSL(void) { void initSSL(struct SSLSupport *ssl) { ssl->enabled = serverSupportsSSL(); + ssl->force = 0; ssl->sslContext = NULL; ssl->sniCertificatePattern = NULL; ssl->generateMissing = 0; @@ -798,6 +799,12 @@ int sslEnable(struct SSLSupport *ssl, in return old; } +int sslForce(struct SSLSupport *ssl, int force) { + int old = ssl->force; + ssl->force = force; + return old; +} + void sslBlockSigPipe(void) { sigset_t set; sigemptyset(&set); --- shellinabox-2.14.orig/libhttp/ssl.h +++ shellinabox-2.14/libhttp/ssl.h @@ -176,6 +176,7 @@ extern void (*x_X509_free)(X509 *a); struct SSLSupport { int enabled; + int force; SSL_CTX *sslContext; char *sniCertificatePattern; int generateMissing; @@ -191,6 +192,7 @@ void sslSetCertificate(struct SSLSupport int autoGenerateMissing); void sslSetCertificateFd(struct SSLSupport *ssl, int fd); int sslEnable(struct SSLSupport *ssl, int enabled); +int sslForce(struct SSLSupport *ssl, int force); void sslBlockSigPipe(); int sslUnblockSigPipe(); int sslPromoteToSSL(struct SSLSupport *ssl, SSL **sslHndl, int fd, --- shellinabox-2.14.orig/shellinabox/shellinaboxd.c +++ shellinabox-2.14/shellinabox/shellinaboxd.c @@ -108,6 +108,7 @@ static int noBeep = 0; static int numericHosts = 0; static int enableSSL = 1; static int enableSSLMenu = 1; +static int forceSSL = 1; // TODO enable http fallback with commandline option static int linkifyURLs = 1; static char *certificateDir; static int certificateFd = -1; @@ -1202,7 +1203,8 @@ static void removeLimits() { } static void setUpSSL(Server *server) { - serverEnableSSL(server, enableSSL); + + serverSetupSSL(server, enableSSL, forceSSL); // Enable SSL support (if available) if (enableSSL) { debian/README.enabled0000664000000000000000000000027511735245402011450 0ustar This directory contains links to "/etc/shellinabox/options-available". See that directory for more details on how to enable or disable options that show up in the right-click context menu. debian/shellinabox.dirs0000664000000000000000000000003311742720511012357 0ustar usr/bin usr/share/man/man1 debian/changelog0000664000000000000000000000265512757376434011074 0ustar shellinabox (2.14-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Disable HTTP fallback using the URL /plain. Consequently disables automatic upgrades from HTTP to HTTPS. - Thanks to Stephen Roettger for finding the bug. - Thanks to Luka Krajger for writing the fix. - Fixes CVE-2015-8400 -- Emily Ratliff Tue, 23 Aug 2016 17:07:53 -0500 shellinabox (2.14-1) unstable; urgency=low * Revised install target of debian/rules. * Revised postrm and prerm to fix dangling symlinks on purge. (Closes: #668720.) -- Marc Singer Sat, 21 Apr 2012 10:26:21 -0700 shellinabox (2.13-1) unstable; urgency=low * Typo in web address. (Closes: #668130.) * Removing PATH_MAX reference which should fix Hurd build. -- Marc Singer Mon, 09 Apr 2012 18:34:17 -0700 shellinabox (2.12-1) unstable; urgency=low * Moved libssl from a dependency to a recommended package using a helper progam. Fixed typo in dependency to lsb-base. (Closes: #667938.) * Added support for runtime naming of the libssl so library. -- Marc Singer Sat, 07 Apr 2012 15:39:11 -0700 shellinabox (2.11-1) unstable; urgency=low * First release into archive. (Closes: #535905.) * Applied patches from the issues database. * Rolled major revision so that the tarball is complete. -- Marc Singer Sat, 07 Apr 2012 15:01:11 -0700 debian/shellinabox.postrm0000775000000000000000000000210411744567236012765 0ustar #!/bin/sh # postrm script for shellinabox # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# d=/var/lib/shellinabox case "$1" in remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; purge) deluser --quiet --system shellinabox > /dev/null || true delgroup --quiet --system shellinabox > /dev/null || true [ ! -d "$d" ] || rmdir "$d" || true # deluser can't do this for /var exit 0 ;; esac exit 0 debian/shellinabox.init0000775000000000000000000001124211741136246012375 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: shellinabox # Required-Start: $network $remote_fs # Required-Stop: $network $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Shell In A Box Daemon # Description: Daemon for publishing a login shell at # http://localhost:SHELLINABOX_PORT # where default port number is 4200. ### END INIT INFO # Authors: Markus Gutschke , Marc Singer # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/bin:/usr/sbin:/usr/bin DESC="Shell In A Box Daemon" NAME="shellinabox" DAEMON="/usr/bin/shellinaboxd" PIDFILE="/var/run/shellinaboxd.pid" SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x $DAEMON ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions # Set some default values SHELLINABOX_DATADIR="${SHELLINABOX_DATADIR:-/var/lib/shellinabox}" SHELLINABOX_PORT="${SHELLINABOX_PORT:-4200}" SHELLINABOX_USER="${SHELLINABOX_USER:-shellinabox}" SHELLINABOX_GROUP="${SHELLINABOX_GROUP:-shellinabox}" # # Function that starts the daemon/service. # d_start() { if [ -z "$SHELLINABOX_DAEMON_START" -o \ "$SHELLINABOX_DAEMON_START" = "0" ]; then return 0 fi eval start-stop-daemon --start --oknodo --pidfile "'$PIDFILE'" \ --exec "'$DAEMON'" -- -q --background="'$PIDFILE'" \ -c "'${SHELLINABOX_DATADIR}'" -p "'${SHELLINABOX_PORT}'" \ -u "'${SHELLINABOX_USER}'" -g "'${SHELLINABOX_GROUP}'" \ $(for i in $(ls /etc/shellinabox/options-enabled/*.css | sed -e \ 's/.*[/]\([0-9]*\)[-_+][^/:,;]*[.]css/\1/'| sort -u); do for j in /etc/shellinabox/options-enabled/"$i"*.css; do echo -n "$j" | sed -e 's/\(.*[/]\)\([0-9]*\)\([-_+]\)\([^/:,;]*\)[.]css/\4:\3\1\2\3\4.css,/ s/:_/:-/' done | sed -e 's/,$/;/' done | sed -e 's/;$// //b s/.*/--user-css "\0"/') \ "${SHELLINABOX_ARGS}" } # # Function that stops the daemon/service. # d_stop() { start-stop-daemon --stop --oknodo --pidfile "$PIDFILE" rm -f "$PIDFILE" } # # Function that reloads the config file for the daemon/service. # d_reload() { # Only reload if there are no active sessions running [ -r "$PIDFILE" ] && [ `ps o pid= --ppid "\`cat "$PIDFILE"\`\`ps o pid= --ppid \ \\\`cat "$PIDFILE"\\\`| xargs -r -n 1 printf ',%s'\`" | wc -l` -gt 1 ] && return 1 d_stop d_start } # # Function that check the status of the daemon/service. # d_status() { [ -r "$PIDFILE" ] && kill -0 `cat "$PIDFILE"` && echo "$DESC is running" || echo "$DESC is not running" } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" d_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" d_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; reload) [ "$VERBOSE" != no ] && log_daemon_msg "Reloading services for $DESC" "$NAME" d_reload case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; restart|force-reload) [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME" d_stop d_start case "$?" in 0) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 1) [ "$VERBOSE" != no ] && log_end_msg 1 ;; *) [ "$VERBOSE" != no ] && log_end_msg 1 ;; # Failed to start esac ;; status) d_status ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload|reload}" >&2 exit 1 ;; esac exit 0 debian/rules0000775000000000000000000000515611744567236010276 0ustar #!/usr/bin/make -f # -*- makefile -*- # Sample debian/rules that uses debhelper. # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ --with autotools-dev # elf-2012.04.10: Since Debian manages package dependencies we can # force linkage of ssl s.t. the dependency is properly kept # up-to-date. This is much better than attempting to # force the right version of ssl to be present # s.t. the runtime loader can find them. override_dh_auto_configure: dh_auto_configure -- --disable-runtime-loading # elf-2012.03.24: This work should be done in the Makefile install # target instead of debian/rules. DESTDIR=$(CURDIR)/debian/tmp override_dh_install: dh_testdir dh_testroot dh_prep dh_installdirs # We need to install some files for the benefit of Debian that aren't # going into the program instal target. So, we install into # debian/tmp the things that need to be included in the package. $(MAKE) install DESTDIR=$(DESTDIR) # Set up system-wide user CSS style options mkdir -p "$(DESTDIR)/etc/shellinabox/options-available" mkdir -p "$(DESTDIR)/etc/shellinabox/options-enabled" for i in \ "00+Black on White" \ "00_White On Black" \ "01_Monochrome" \ "01+Color Terminal"; do \ cp "$(DESTDIR)/usr/share/doc/shellinabox/$$(echo "$$i"| \ sed -e 's/[0-9]*[_+]\([^ ]*\).*/\1/'| \ tr A-Z a-z)"*.css \ "$(DESTDIR)/etc/shellinabox/options-available/$$i.css"; \ done cd "$(DESTDIR)/etc/shellinabox/options-enabled" \ && ln -s ../options-available/*.css . cp "$(CURDIR)/debian/README.available" \ "$(DESTDIR)/etc/shellinabox/options-available/README" cp "$(CURDIR)/debian/README.enabled" \ "$(DESTDIR)/etc/shellinabox/options-enabled/README" # Shellinabox home directory # mkdir -p "$(DESTDIR)/var/lib/shellinabox" # Add Lintian override. ShellInABox has an explicit exemption allowing # the linking its GPLv2 code with OpenSSL. mkdir -p "$(DESTDIR)/usr/share/lintian/overrides/" { echo '# ShellInABox has an explicit exemption allowing the linking';\ echo '# of its GPLv2 code with OpenSSL'; \ echo 'shellinabox binary: possible-gpl-code-linked-with-openssl'; } \ >"$(DESTDIR)/usr/share/lintian/overrides/shellinabox" # Now perform the normal debhelper install. dh_install debian/README.source0000664000000000000000000000026411737463645011371 0ustar The upstream source for shellinabox is archived in googlecode GIT repository, . The package is being maintained as a native Debian package. debian/docs0000664000000000000000000000003111737463645010055 0ustar AUTHORS NEWS README TODO debian/shellinabox.postinst0000775000000000000000000000254111744567236013331 0ustar #!/bin/sh # postinst script for shellinabox # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) if ! getent passwd shellinabox >/dev/null; then adduser --disabled-password --quiet --system \ --home /var/lib/shellinabox --gecos "Shell In A Box" \ --group shellinabox fi # Shellinabox must own the certificate directory so that it # can write the certificate even when the daemon has given-up # root privileges. # chown shellinabox:shellinabox /var/lib/shellinabox ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/shellinabox.default0000664000000000000000000000106611741136246013056 0ustar # Should shellinaboxd start automatically SHELLINABOX_DAEMON_START=1 # TCP port that shellinboxd's webserver listens on SHELLINABOX_PORT=4200 # Parameters that are managed by the system and usually should not need # changing: # SHELLINABOX_DATADIR=/var/lib/shellinabox # SHELLINABOX_USER=shellinabox # SHELLINABOX_GROUP=shellinabox # Any optional arguments (e.g. extra service definitions). Make sure # that that argument is quoted. # # Beeps are disabled because of reports of the VLC plugin crashing # Firefox on Linux/x86_64. SHELLINABOX_ARGS="--no-beep" debian/shellinabox.install0000664000000000000000000000017111735245402013072 0ustar etc/shellinabox/options-available etc/shellinabox/options-enabled usr/bin usr/share/lintian/overrides usr/share/man/man1 debian/shellinabox.prerm0000664000000000000000000000160611744567236012571 0ustar #!/bin/sh # prerm script for shellinabox # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `upgrade' # * `failed-upgrade' # * `remove' `in-favour' # * `deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in remove) [ ! -f /var/lib/shellinabox/certificate.pem ] \ || rm /var/lib/shellinabox/certificate.pem ;; upgrade|deconfigure) ;; failed-upgrade) ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/copyright0000664000000000000000000000402611737465303011136 0ustar Format: http://dep.debian.net/deps/dep5 Upstream-Name: shellinabox Source: Files: * Copyright: Copyright 2008-2012, Markus Gutschke All rights reserved. Upstream-Author: markus@shellinabox.com License: GPL-2+ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. . This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. . See /usr/share/common-licenses/GPL-2 on your Debian system. . In addition to these license terms, the author grants the following additional rights: . If you modify this program, or any covered work, by linking or combining it with the OpenSSL project's OpenSSL library (or a modified version of that library), containing parts covered by the terms of the OpenSSL or SSLeay licenses, the author grants you additional permission to convey the resulting work. Corresponding Source for a non-source form of such a combination shall include the source code for the parts of OpenSSL used as well as that of the covered work. . You may at your option choose to remove this additional permission from the work, or from any part of it. . It is possible to build this program in a way that it loads OpenSSL libraries at run-time. If doing so, the following notices are required by the OpenSSL and SSLeay licenses: . This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) . This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) debian/source/0000775000000000000000000000000011737463645010510 5ustar debian/source/options0000664000000000000000000000000111737463645012115 0ustar debian/source/format0000664000000000000000000000001411737463645011716 0ustar 3.0 (quilt) debian/source/include-binaries0000664000000000000000000000005311737463645013646 0ustar demo/keyboard.png shellinabox/keyboard.png debian/control0000664000000000000000000000163512757145467010622 0ustar Source: shellinabox Section: web Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Marc Singer Build-Depends: debhelper (>= 8.0.0), autotools-dev, binutils, libssl-dev, libpam0g-dev, zlib1g-dev Standards-Version: 3.9.3 Homepage: http://shellinabox.com Vcs-Git: https://code.google.com/p/shellinabox/ Vcs-Browser: https://code.google.com/p/shellinabox/source/browse/ Package: shellinabox Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, lsb-base Suggests: openssl Description: publish command line shell through AJAX interface Shellinabox can export arbitrary command line programs to any JavaScript enabled web browser. By default, it prompts for username and password and then exports a SSL/TLS encrypted login shell. Shellinabox provides a VT100 compatible terminal emulator that runs within any modern browser.