From nobody Mon Apr 14 19:24:58 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zby0p6dcBz5tL1Q;
	Mon, 14 Apr 2025 19:24:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Zby0p5C0Zz3D3B;
	Mon, 14 Apr 2025 19:24:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1744658698;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jVC3Rlw3juP0xKUP0fzsAZyTFUzQBCllGc0W/kPjUms=;
	b=JvXq3BgYOcZTErKs0SHX15wN+8IBHzfcR5DQvD9dH9QEpASeB08rw26x99a+ha+sPylBi0
	dZ/L7rE+C94/xVjLEhngbHJ146pzdw+4v/vuZjE21c8XXsKMpn3NQRby48D0F9oRlAbQlq
	c1g4kK4ct65n8fsTaI86rolkDhrYT29ISNt6zGSWpt1Ow1ZMFzE7OE9i/0iFAozgBns4zB
	fzK7WqRGUKLpVsacUVTYO/xr6ScuVaPtQR55EjbwV9FljeBWY3HZun23Lie3Cw2cvuHDH6
	8SKxxgfZZO+yMG5lnEzfPiMrtbPQUSHJR0Z7+WsY7kPNvBcSsMPE8X+Eg1bzug==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744658698; a=rsa-sha256; cv=none;
	b=F2MfqcvCjkO0BcA5EY0NT5Sq+O7YrRzTg6prOhGioDfo1vBDTc4wU/Z3PlcRp4mRSwn4vS
	+N1BxOtVJNMOpSv3Xx5eDJE+bkQE9PbkT4hNGwhCoW/BRKVSBb9SkMRXi09DAWU2cCwldV
	b7eP0GERea3xWy5exqwOzhooqcVTv8xaqxgUpy/MZdaI+E1Ld+9FzzKNzJvSpf8o2mOQL0
	G01Yj4J2GhufbbCseamXeww5cFCrsF4xDtwd5mIAQ4TlcrivlSjr85o1TruF3Hol7n14yI
	2ZFUe1RrNUH/b1MTR+BafSNTxwSyRfM8hxwOApkyPlzc3RQf2jO/422xBgiHNQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1744658698;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jVC3Rlw3juP0xKUP0fzsAZyTFUzQBCllGc0W/kPjUms=;
	b=txGz29VoPAghF/aefjP/6iEjbzz3s9/hcy3XVQHWYqvn9xr699e3Ca8JSynwHBe/7XL6jI
	QqAmTSeSdz4ubIN6Lr2maUB/yfrSuPRXuSpXFWl6U/F+RsrgDQ7AIn+bGNGeUWkWqoHqmG
	tMFt/ZRmHWTkQbRjI0OGl65ZsAmmwR/8AlKQHCWslzcX9Gx9Tej2ygyZoDJrZeFGmimY87
	a3hH2ymk2XE4tLJ/6qXbCZilW197I+BdN4WCA9N5cHi2H1q8IeocgyLAuUUZw5rqfizSoI
	60Z2ENu4AGURTbCzpVKbivgkywPt9Pb8rlMTMDKyLcad5fcTLg06Rv7VgsYf/A==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zby0p4Zz1z1188;
	Mon, 14 Apr 2025 19:24:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53EJOwFa030698;
	Mon, 14 Apr 2025 19:24:58 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53EJOwZY030695;
	Mon, 14 Apr 2025 19:24:58 GMT
	(envelope-from git)
Date: Mon, 14 Apr 2025 19:24:58 GMT
Message-Id: <202504141924.53EJOwZY030695@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: fcda475ccfca - stable/14 - OpenSSH: Fix logic error
  in DisableForwarding option
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: fcda475ccfcabe6f70e6ef25ccd507ac4b92c1ee
Auto-Submitted: auto-generated

The branch stable/14 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=fcda475ccfcabe6f70e6ef25ccd507ac4b92c1ee

commit fcda475ccfcabe6f70e6ef25ccd507ac4b92c1ee
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2025-04-09 14:54:46 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-04-14 19:24:47 +0000

    OpenSSH: Fix logic error in DisableForwarding option
    
    This option was documented as disabling X11 and agent forwarding but it
    failed to do so.  Spotted by Tim Rice.
    
    Obtained from:  OpenBSD d31ec64016fc
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 3620d70511dc8bf45752028dac0af6f157ec6146)
---
 crypto/openssh/session.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 591f1e329a8d..03a20f9d9648 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -2194,7 +2194,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
 	if ((r = sshpkt_get_end(ssh)) != 0)
 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 	if (!auth_opts->permit_agent_forwarding_flag ||
-	    !options.allow_agent_forwarding) {
+	    !options.allow_agent_forwarding ||
+	    options.disable_forwarding) {
 		debug_f("agent forwarding disabled");
 		return 0;
 	}
@@ -2589,7 +2590,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
 		return 0;
 	}
-	if (!options.x11_forwarding) {
+	if (!options.x11_forwarding || options.disable_forwarding) {
 		debug("X11 forwarding disabled in server configuration file.");
 		return 0;
 	}