static int statistics = 1;
static int portnumber = 0;
static int prev_stats_len = 0;
+static int scp_unsafe_mode = 0;
static char *password = NULL;
static int errs = 0;
/* GUI Adaptation - Sept 2000 */
/*
* Return a pointer to the portion of str that comes after the last
- * slash (or backslash, if `local' is TRUE).
+ * slash (or backslash or colon, if `local' is TRUE).
*/
static char *stripslashes(char *str, int local)
{
char *p;
+ if (local) {
+ p = strchr(str, ':');
+ if (p) str = p+1;
+ }
+
p = strrchr(str, '/');
if (p) str = p+1;
struct fxp_names *names;
struct fxp_name *ournames;
int nnames, namesize;
- char *dir;
int i;
printf("Listing directory %s\n", dirname);
dirh = fxp_opendir(dirname);
if (dirh == NULL) {
- printf("Unable to open %s: %s\n", dir, fxp_error());
+ printf("Unable to open %s: %s\n", dirname, fxp_error());
} else {
nnames = namesize = 0;
ournames = NULL;
if (names == NULL) {
if (fxp_error_type() == SSH_FX_EOF)
break;
- printf("Reading directory %s: %s\n", dir, fxp_error());
+ printf("Reading directory %s: %s\n", dirname, fxp_error());
break;
}
if (names->nnames == 0) {
int namepos, namelen;
char *dirpath;
char *wildcard;
+ int matched_something; /* wildcard match set was non-empty */
} *scp_sftp_dirstack_head;
static char *scp_sftp_remotepath, *scp_sftp_currentname;
static char *scp_sftp_wildcard;
* slash.
*/
lastpart[-1] = '\0';
+ } else if (!*dupsource) {
+ /*
+ * The remains of dupsource are _empty_ - the whole
+ * pathname was a wildcard. Hence we need to
+ * replace it with ".".
+ */
+ sfree(dupsource);
+ dupsource = dupstr(".");
}
/*
head->names[head->namepos].filename))))
head->namepos++; /* skip . and .. */
if (head->namepos < head->namelen) {
+ head->matched_something = 1;
fname = dupcat(head->dirpath, "/",
head->names[head->namepos++].filename,
NULL);
*/
if (head->wildcard) {
act->action = SCP_SINK_RETRY;
+ if (!head->matched_something) {
+ tell_user(stderr, "pscp: wildcard '%s' matched "
+ "no files", head->wildcard);
+ errs++;
+ }
sfree(head->wildcard);
+
} else {
act->action = SCP_SINK_ENDDIR;
}
newitem->dirpath = dupstr(fname);
if (scp_sftp_wildcard) {
newitem->wildcard = scp_sftp_wildcard;
+ newitem->matched_something = 0;
scp_sftp_wildcard = NULL;
} else {
newitem->wildcard = NULL;
static void sink(char *targ, char *src)
{
char *destfname;
- char ch;
int targisdir = 0;
- int settime;
int exists;
DWORD attr;
HANDLE f;
* Prevent the remote side from maliciously writing to
* files outside the target area by sending a filename
* containing `../'. In fact, it shouldn't be sending
- * filenames with any slashes in at all; so we'll find
- * the last slash or backslash in the filename and use
- * only the part after that. (And warn!)
+ * filenames with any slashes or colons in at all; so
+ * we'll find the last slash, backslash or colon in the
+ * filename and use only the part after that. (And
+ * warn!)
*
* In addition, we also ensure here that if we're
* copying a single file and the target is a directory
* and the last component of that will fail to match
* (the last component of) the name sent.
*
- * (Well, not always; if `src' is a wildcard, we do
+ * Well, not always; if `src' is a wildcard, we do
* expect to get back filenames that don't correspond
- * exactly to it. So we skip this check if `src'
- * contains a *, a ? or a []. This is non-ideal - we
- * would like to ensure that the returned filename
- * actually matches the wildcard pattern - but one of
- * SCP's protocol infelicities is that wildcard
- * matching is done at the server end _by the server's
- * rules_ and so in general this is infeasible. Live
- * with it, or upgrade to SFTP.)
+ * exactly to it. Ideally in this case, we would like
+ * to ensure that the returned filename actually
+ * matches the wildcard pattern - but one of SCP's
+ * protocol infelicities is that wildcard matching is
+ * done at the server end _by the server's rules_ and
+ * so in general this is infeasible. Hence, we only
+ * accept filenames that don't correspond to `src' if
+ * unsafe mode is enabled or we are using SFTP (which
+ * resolves remote wildcards on the client side and can
+ * be trusted).
*/
char *striptarget, *stripsrc;
striptarget = stripslashes(act.name, 1);
if (striptarget != act.name) {
tell_user(stderr, "warning: remote host sent a compound"
- " pathname - possibly malicious! (ignored)");
+ " pathname '%s'", act.name);
+ tell_user(stderr, " renaming local file to '%s'",
+ striptarget);
}
/*
if (src) {
stripsrc = stripslashes(src, 1);
- if (!stripsrc[strcspn(stripsrc, "*?[]")] &&
- strcmp(striptarget, stripsrc)) {
- tell_user(stderr, "warning: remote host attempted to"
- " write to a different filename: disallowing");
+ if (strcmp(striptarget, stripsrc) &&
+ !using_sftp && !scp_unsafe_mode) {
+ tell_user(stderr, "warning: remote host tried to write "
+ "to a file called '%s'", striptarget);
+ tell_user(stderr, " when we requested a file "
+ "called '%s'.", stripsrc);
+ tell_user(stderr, " If this is a wildcard, "
+ "consider upgrading to SSH 2 or using");
+ tell_user(stderr, " the '-unsafe' option. Renaming"
+ " of this file has been disallowed.");
/* Override the name the server provided with our own. */
striptarget = stripsrc;
}
}
(void) scp_finish_filerecv();
sfree(destfname);
- sfree(act.name);
+ sfree(act.buf);
}
}
*/
srcpath = dupstr(src);
last = stripslashes(srcpath, 1);
- if (last == srcpath) {
- last = strchr(srcpath, ':');
- if (last)
- last++;
- else
- last = srcpath;
- }
*last = '\0';
dir = FindFirstFile(src, &fdat);
continue;
}
do {
- char *last;
char *filename;
/*
* Ensure that . and .. are never matched by wildcards,
printf(" -v show verbose messages\n");
printf(" -P port connect to specified port\n");
printf(" -pw passw login with specified password\n");
+ printf(" -unsafe allow server-side wildcards (DANGEROUS)\n");
#if 0
/*
* -gui is an internal option, used by GUI front ends to get
gui_mode = 1;
} else if (strcmp(argv[i], "-ls") == 0)
list = 1;
+ else if (strcmp(argv[i], "-unsafe") == 0)
+ scp_unsafe_mode = 1;
else if (strcmp(argv[i], "--") == 0) {
i++;
break;