diff --git a/session.c b/session.c

index 9a75c62..4859245 100644

--- a/session.c

+++ b/session.c

@@ -46,6 +46,7 @@

 #include <arpa/inet.h>

+#include <ctype.h>

 #include <errno.h>

 #include <fcntl.h>

 #include <grp.h>

@@ -292,6 +293,21 @@ do_authenticated(Authctxt *authctxt)

 	do_cleanup(authctxt);

 }

+/* Check untrusted xauth strings for metacharacters */

+static int

+xauth_valid_string(const char *s)

+{

+	size_t i;

+

+	for (i = 0; s[i] != '\0'; i++) {

+		if (!isalnum((u_char)s[i]) &&

+		    s[i] != '.' && s[i] != ':' && s[i] != '/' &&

+		    s[i] != '-' && s[i] != '_')

+		return 0;

+	}

+	return 1;

+}

+

 /*

  * Prepares for an interactive session.  This is called after the user has

  * been successfully authenticated.  During this message exchange, pseudo

@@ -365,7 +381,13 @@ do_authenticated1(Authctxt *authctxt)

 				s->screen = 0;

 			}

 			packet_check_eom();

-			success = session_setup_x11fwd(s);

+			if (xauth_valid_string(s->auth_proto) &&

+			    xauth_valid_string(s->auth_data))

+				success = session_setup_x11fwd(s);

+			else {

+				success = 0;

+				error("Invalid X11 forwarding data");

+			}

 			if (!success) {

 				free(s->auth_proto);

 				free(s->auth_data);

@@ -2219,7 +2241,13 @@ session_x11_req(Session *s)

 	s->screen = packet_get_int();

 	packet_check_eom();

-	success = session_setup_x11fwd(s);

+	if (xauth_valid_string(s->auth_proto) &&

+	    xauth_valid_string(s->auth_data))

+		success = session_setup_x11fwd(s);

+	else {

+		success = 0;

+		error("Invalid X11 forwarding data");

+	}

 	if (!success) {

 		free(s->auth_proto);

 		free(s->auth_data);