static int statistics = 1;
static int portnumber = 0;
static int prev_stats_len = 0;
+static int scp_unsafe_mode = 0;
static char *password = NULL;
static int errs = 0;
/* GUI Adaptation - Sept 2000 */
/*
* Return a pointer to the portion of str that comes after the last
- * slash or backslash.
+ * slash (or backslash or colon, if `local' is TRUE).
*/
-static char *stripslashes(char *str)
+static char *stripslashes(char *str, int local)
{
char *p;
+ if (local) {
+ p = strchr(str, ':');
+ if (p) str = p+1;
+ }
+
p = strrchr(str, '/');
if (p) str = p+1;
- p = strrchr(str, '\\');
- if (p) str = p+1;
+ if (local) {
+ p = strrchr(str, '\\');
+ if (p) str = p+1;
+ }
return str;
}
struct fxp_names *names;
struct fxp_name *ournames;
int nnames, namesize;
- char *dir;
int i;
printf("Listing directory %s\n", dirname);
dirh = fxp_opendir(dirname);
if (dirh == NULL) {
- printf("Unable to open %s: %s\n", dir, fxp_error());
+ printf("Unable to open %s: %s\n", dirname, fxp_error());
} else {
nnames = namesize = 0;
ournames = NULL;
if (names == NULL) {
if (fxp_error_type() == SSH_FX_EOF)
break;
- printf("Reading directory %s: %s\n", dir, fxp_error());
+ printf("Reading directory %s: %s\n", dirname, fxp_error());
break;
}
if (names->nnames == 0) {
struct fxp_name *names;
int namepos, namelen;
char *dirpath;
+ char *wildcard;
+ int matched_something; /* wildcard match set was non-empty */
} *scp_sftp_dirstack_head;
static char *scp_sftp_remotepath, *scp_sftp_currentname;
+static char *scp_sftp_wildcard;
static int scp_sftp_targetisdir, scp_sftp_donethistarget;
static int scp_sftp_preserve, scp_sftp_recursive;
static unsigned long scp_sftp_mtime, scp_sftp_atime;
* right at the start, whereas scp_sink_init is called to
* initialise every level of recursion in the protocol.
*/
-void scp_sink_setup(char *source, int preserve, int recursive)
+int scp_sink_setup(char *source, int preserve, int recursive)
{
if (using_sftp) {
- scp_sftp_remotepath = dupstr(source);
+ char *newsource;
+ /*
+ * It's possible that the source string we've been given
+ * contains a wildcard. If so, we must split the directory
+ * away from the wildcard itself (throwing an error if any
+ * wildcardness comes before the final slash) and arrange
+ * things so that a dirstack entry will be set up.
+ */
+ newsource = smalloc(1+strlen(source));
+ if (!wc_unescape(newsource, source)) {
+ /* Yes, here we go; it's a wildcard. Bah. */
+ char *dupsource, *lastpart, *dirpart, *wildcard;
+ dupsource = dupstr(source);
+ lastpart = stripslashes(dupsource, 0);
+ wildcard = dupstr(lastpart);
+ *lastpart = '\0';
+ if (*dupsource && dupsource[1]) {
+ /*
+ * The remains of dupsource are at least two
+ * characters long, meaning the pathname wasn't
+ * empty or just `/'. Hence, we remove the trailing
+ * slash.
+ */
+ lastpart[-1] = '\0';
+ } else if (!*dupsource) {
+ /*
+ * The remains of dupsource are _empty_ - the whole
+ * pathname was a wildcard. Hence we need to
+ * replace it with ".".
+ */
+ sfree(dupsource);
+ dupsource = dupstr(".");
+ }
+
+ /*
+ * Now we have separated our string into dupsource (the
+ * directory part) and wildcard. Both of these will
+ * need freeing at some point. Next step is to remove
+ * wildcard escapes from the directory part, throwing
+ * an error if it contains a real wildcard.
+ */
+ dirpart = smalloc(1+strlen(dupsource));
+ if (!wc_unescape(dirpart, dupsource)) {
+ tell_user(stderr, "%s: multiple-level wildcards unsupported",
+ source);
+ errs++;
+ sfree(dirpart);
+ sfree(wildcard);
+ sfree(dupsource);
+ return 1;
+ }
+
+ /*
+ * Now we have dirpart (unescaped, ie a valid remote
+ * path), and wildcard (a wildcard). This will be
+ * sufficient to arrange a dirstack entry.
+ */
+ scp_sftp_remotepath = dirpart;
+ scp_sftp_wildcard = wildcard;
+ sfree(dupsource);
+ } else {
+ scp_sftp_remotepath = newsource;
+ scp_sftp_wildcard = NULL;
+ }
scp_sftp_preserve = preserve;
scp_sftp_recursive = recursive;
scp_sftp_donethistarget = 0;
scp_sftp_dirstack_head = NULL;
}
+ return 0;
}
int scp_sink_init(void)
#define SCP_SINK_FILE 1
#define SCP_SINK_DIR 2
#define SCP_SINK_ENDDIR 3
+#define SCP_SINK_RETRY 4 /* not an action; just try again */
struct scp_sink_action {
int action; /* FILE, DIR, ENDDIR */
char *buf; /* will need freeing after use */
*/
struct scp_sftp_dirstack *head = scp_sftp_dirstack_head;
while (head->namepos < head->namelen &&
- is_dots(head->names[head->namepos].filename))
+ (is_dots(head->names[head->namepos].filename) ||
+ (head->wildcard &&
+ !wc_match(head->wildcard,
+ head->names[head->namepos].filename))))
head->namepos++; /* skip . and .. */
if (head->namepos < head->namelen) {
+ head->matched_something = 1;
fname = dupcat(head->dirpath, "/",
head->names[head->namepos++].filename,
NULL);
} else {
/*
* We've come to the end of the list; pop it off
- * the stack and return an ENDDIR action.
+ * the stack and return an ENDDIR action (or RETRY
+ * if this was a wildcard match).
*/
-
+ if (head->wildcard) {
+ act->action = SCP_SINK_RETRY;
+ if (!head->matched_something) {
+ tell_user(stderr, "pscp: wildcard '%s' matched "
+ "no files", head->wildcard);
+ errs++;
+ }
+ sfree(head->wildcard);
+
+ } else {
+ act->action = SCP_SINK_ENDDIR;
+ }
+
sfree(head->dirpath);
sfree(head->names);
scp_sftp_dirstack_head = head->next;
sfree(head);
- act->action = SCP_SINK_ENDDIR;
return 0;
}
}
struct fxp_names *names;
/*
- * It's a directory. If we're not in recursive
- * mode, this just merits a complaint.
+ * It's a directory. If we're not in recursive mode,
+ * this merits a complaint (which is fatal if the name
+ * was specified directly, but not if it was matched by
+ * a wildcard).
+ *
+ * We skip this complaint completely if
+ * scp_sftp_wildcard is set, because that's an
+ * indication that we're not actually supposed to
+ * _recursively_ transfer the dir, just scan it for
+ * things matching the wildcard.
*/
- if (!scp_sftp_recursive) {
+ if (!scp_sftp_recursive && !scp_sftp_wildcard) {
tell_user(stderr, "pscp: %s: is a directory", fname);
errs++;
if (must_free_fname) sfree(fname);
- return 1;
+ if (scp_sftp_dirstack_head) {
+ act->action = SCP_SINK_RETRY;
+ return 0;
+ } else {
+ return 1;
+ }
}
/*
* Otherwise, the fun begins. We must fxp_opendir() the
* directory, slurp the filenames into memory, return
- * SCP_SINK_DIR, and set targetisdir. The next time
- * we're called, we will run through the list of
- * filenames one by one.
+ * SCP_SINK_DIR (unless this is a wildcard match), and
+ * set targetisdir. The next time we're called, we will
+ * run through the list of filenames one by one,
+ * matching them against a wildcard if present.
*
* If targetisdir is _already_ set (meaning we're
* already in the middle of going through another such
newitem->dirpath = fname;
else
newitem->dirpath = dupstr(fname);
+ if (scp_sftp_wildcard) {
+ newitem->wildcard = scp_sftp_wildcard;
+ newitem->matched_something = 0;
+ scp_sftp_wildcard = NULL;
+ } else {
+ newitem->wildcard = NULL;
+ }
scp_sftp_dirstack_head = newitem;
- act->action = SCP_SINK_DIR;
- act->buf = dupstr(stripslashes(fname));
- act->name = act->buf;
- act->size = 0; /* duhh, it's a directory */
- act->mode = 07777 & attrs.permissions;
- if (scp_sftp_preserve &&
- (attrs.flags & SSH_FILEXFER_ATTR_ACMODTIME)) {
- act->atime = attrs.atime;
- act->mtime = attrs.mtime;
- act->settime = 1;
- } else
- act->settime = 0;
+ if (newitem->wildcard) {
+ act->action = SCP_SINK_RETRY;
+ } else {
+ act->action = SCP_SINK_DIR;
+ act->buf = dupstr(stripslashes(fname, 0));
+ act->name = act->buf;
+ act->size = 0; /* duhh, it's a directory */
+ act->mode = 07777 & attrs.permissions;
+ if (scp_sftp_preserve &&
+ (attrs.flags & SSH_FILEXFER_ATTR_ACMODTIME)) {
+ act->atime = attrs.atime;
+ act->mtime = attrs.mtime;
+ act->settime = 1;
+ } else
+ act->settime = 0;
+ }
return 0;
} else {
* It's a file. Return SCP_SINK_FILE.
*/
act->action = SCP_SINK_FILE;
- act->buf = dupstr(stripslashes(fname));
+ act->buf = dupstr(stripslashes(fname, 0));
act->name = act->buf;
if (attrs.flags & SSH_FILEXFER_ATTR_SIZE) {
if (uint64_compare(attrs.size,
static void sink(char *targ, char *src)
{
char *destfname;
- char ch;
int targisdir = 0;
- int settime;
int exists;
DWORD attr;
HANDLE f;
if (act.action == SCP_SINK_ENDDIR)
return;
+ if (act.action == SCP_SINK_RETRY)
+ continue;
+
if (targisdir) {
/*
* Prevent the remote side from maliciously writing to
* files outside the target area by sending a filename
* containing `../'. In fact, it shouldn't be sending
- * filenames with any slashes in at all; so we'll find
- * the last slash or backslash in the filename and use
- * only the part after that. (And warn!)
+ * filenames with any slashes or colons in at all; so
+ * we'll find the last slash, backslash or colon in the
+ * filename and use only the part after that. (And
+ * warn!)
*
* In addition, we also ensure here that if we're
* copying a single file and the target is a directory
* and the last component of that will fail to match
* (the last component of) the name sent.
*
- * (Well, not always; if `src' is a wildcard, we do
+ * Well, not always; if `src' is a wildcard, we do
* expect to get back filenames that don't correspond
- * exactly to it. So we skip this check if `src'
- * contains a *, a ? or a []. This is non-ideal - we
- * would like to ensure that the returned filename
- * actually matches the wildcard pattern - but one of
- * SCP's protocol infelicities is that wildcard
- * matching is done at the server end _by the server's
- * rules_ and so in general this is infeasible. Live
- * with it, or upgrade to SFTP.)
+ * exactly to it. Ideally in this case, we would like
+ * to ensure that the returned filename actually
+ * matches the wildcard pattern - but one of SCP's
+ * protocol infelicities is that wildcard matching is
+ * done at the server end _by the server's rules_ and
+ * so in general this is infeasible. Hence, we only
+ * accept filenames that don't correspond to `src' if
+ * unsafe mode is enabled or we are using SFTP (which
+ * resolves remote wildcards on the client side and can
+ * be trusted).
*/
char *striptarget, *stripsrc;
- striptarget = stripslashes(act.name);
+ striptarget = stripslashes(act.name, 1);
if (striptarget != act.name) {
tell_user(stderr, "warning: remote host sent a compound"
- " pathname - possibly malicious! (ignored)");
+ " pathname '%s'", act.name);
+ tell_user(stderr, " renaming local file to '%s'",
+ striptarget);
}
/*
}
if (src) {
- stripsrc = stripslashes(src);
- if (!stripsrc[strcspn(stripsrc, "*?[]")] &&
- strcmp(striptarget, stripsrc)) {
- tell_user(stderr, "warning: remote host attempted to"
- " write to a different filename: disallowing");
+ stripsrc = stripslashes(src, 1);
+ if (strcmp(striptarget, stripsrc) &&
+ !using_sftp && !scp_unsafe_mode) {
+ tell_user(stderr, "warning: remote host tried to write "
+ "to a file called '%s'", striptarget);
+ tell_user(stderr, " when we requested a file "
+ "called '%s'.", stripsrc);
+ tell_user(stderr, " If this is a wildcard, "
+ "consider upgrading to SSH 2 or using");
+ tell_user(stderr, " the '-unsafe' option. Renaming"
+ " of this file has been disallowed.");
/* Override the name the server provided with our own. */
striptarget = stripsrc;
}
stat_bytes = 0;
stat_starttime = time(NULL);
stat_lasttime = 0;
- stat_name = stripslashes(destfname);
+ stat_name = stripslashes(destfname, 1);
received = 0;
while (received < act.size) {
}
(void) scp_finish_filerecv();
sfree(destfname);
- sfree(act.name);
+ sfree(act.buf);
}
}
* filenames returned from Find{First,Next}File.
*/
srcpath = dupstr(src);
- last = stripslashes(srcpath);
- if (last == srcpath) {
- last = strchr(srcpath, ':');
- if (last)
- last++;
- else
- last = srcpath;
- }
+ last = stripslashes(srcpath, 1);
*last = '\0';
dir = FindFirstFile(src, &fdat);
continue;
}
do {
- char *last;
char *filename;
/*
* Ensure that . and .. are never matched by wildcards,
do_cmd(host, user, cmd);
sfree(cmd);
- scp_sink_setup(src, preserve, recursive);
+ if (scp_sink_setup(src, preserve, recursive))
+ return;
sink(targ, src);
}
printf(" -v show verbose messages\n");
printf(" -P port connect to specified port\n");
printf(" -pw passw login with specified password\n");
+ printf(" -unsafe allow server-side wildcards (DANGEROUS)\n");
#if 0
/*
* -gui is an internal option, used by GUI front ends to get
gui_mode = 1;
} else if (strcmp(argv[i], "-ls") == 0)
list = 1;
+ else if (strcmp(argv[i], "-unsafe") == 0)
+ scp_unsafe_mode = 1;
else if (strcmp(argv[i], "--") == 0) {
i++;
break;