From dc0624101d94c569cd543c374a6fb976b6bc800a Mon Sep 17 00:00:00 2001
From: Max Kellermann <max.kellermann@ionos.com>
Date: Tue, 19 Nov 2024 11:39:42 +0100
Subject: [PATCH] Connection: authorized_keys must be a regular file

An additional security measure against DoS attempts with a FIFO.
---
 src/Connection.cxx | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/Connection.cxx b/src/Connection.cxx
index 671ad96..6de5e00 100644
--- a/src/Connection.cxx
+++ b/src/Connection.cxx
@@ -61,6 +61,7 @@
 
 #include <fcntl.h> // for O_*
 #include <pwd.h>
+#include <sys/stat.h>
 
 using std::string_view_literals::operator""sv;
 
@@ -373,9 +374,13 @@ Connection::IsAcceptedPublicKey(std::span<const std::byte> public_key_blob) noex
 
 	if (ShouldLoadHomeAuthorizedKeys()) {
 		if (auto fd = co_await OpenInHome(".ssh/authorized_keys"); fd.IsDefined()) {
-			if (auto options = PublicKeysTextFileContains(fd, public_key_blob)) {
-				authorized_key_options = std::move(*options);
-				co_return true;
+			if (struct stat st;
+			    fstat(fd.Get(), &st) == 0 &&
+			    S_ISREG(st.st_mode) && st.st_size < 1024 * 1024) {
+				if (auto options = PublicKeysTextFileContains(fd, public_key_blob)) {
+					authorized_key_options = std::move(*options);
+					co_return true;
+				}
 			}
 		}
 	}