X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/6b18a52414dec1bd017b32fa469873f1b1e0f96e..d8d6c7e50e1fcf5171ec15f8a3e9bdcd141f0b64:/scp.c?ds=sidebyside diff --git a/scp.c b/scp.c index 7ab31207..45930c0e 100644 --- a/scp.c +++ b/scp.c @@ -1,11 +1,15 @@ /* - * scp.c - Scp (Secure Copy) client for PuTTY. - * Joris van Rantwijk, Simon Tatham + * scp.c - Scp (Secure Copy) client for PuTTY. + * Joris van Rantwijk, Simon Tatham * - * This is mainly based on ssh-1.2.26/scp.c by Timo Rinne & Tatu Ylonen. - * They, in turn, used stuff from BSD rcp. - * - * Adaptations to enable connecting a GUI by L. Gunnarsson - Sept 2000 + * This is mainly based on ssh-1.2.26/scp.c by Timo Rinne & Tatu Ylonen. + * They, in turn, used stuff from BSD rcp. + * + * (SGT, 2001-09-10: Joris van Rantwijk assures me that although + * this file as originally submitted was inspired by, and + * _structurally_ based on, ssh-1.2.26's scp.c, there wasn't any + * actual code duplicated, so the above comment shouldn't give rise + * to licensing issues.) */ #include @@ -22,9 +26,6 @@ #include #include #include -/* GUI Adaptation - Sept 2000 */ -#include -#include #define PUTTY_DO_GLOBALS #include "putty.h" @@ -48,6 +49,9 @@ #define WM_STATS_ELAPSED ( WM_APP_BASE+405 ) #define WM_RET_ERR_CNT ( WM_APP_BASE+406 ) #define WM_LS_RET_ERR_CNT ( WM_APP_BASE+407 ) +#define WM_STATS_DONE ( WM_APP_BASE+408 ) +#define WM_STATS_ETA ( WM_APP_BASE+409 ) +#define WM_STATS_RATEBS ( WM_APP_BASE+410 ) static int list = 0; static int verbose = 0; @@ -57,12 +61,16 @@ static int targetshouldbedirectory = 0; static int statistics = 1; static int portnumber = 0; static int prev_stats_len = 0; +static int scp_unsafe_mode = 0; static char *password = NULL; static int errs = 0; /* GUI Adaptation - Sept 2000 */ #define NAME_STR_MAX 2048 static char statname[NAME_STR_MAX + 1]; static unsigned long statsize = 0; +static unsigned long statdone = 0; +static unsigned long stateta = 0; +static unsigned long statratebs = 0; static int statperct = 0; static unsigned long statelapsed = 0; static int gui_mode = 0; @@ -77,7 +85,9 @@ static void tell_char(FILE * stream, char c); static void tell_str(FILE * stream, char *str); static void tell_user(FILE * stream, char *fmt, ...); static void gui_update_stats(char *name, unsigned long size, - int percentage, unsigned long elapsed); + int percentage, unsigned long elapsed, + unsigned long done, unsigned long eta, + unsigned long ratebs); /* * The maximum amount of queued data we accept before we stop and @@ -89,7 +99,7 @@ void logevent(char *string) { } -void ldisc_send(char *buf, int len) +void ldisc_send(char *buf, int len, int interactive) { /* * This is only here because of the calls to ldisc_send(NULL, @@ -216,6 +226,63 @@ void askcipher(char *ciphername, int cs) } } +/* + * Ask whether to wipe a session log file before writing to it. + * Returns 2 for wipe, 1 for append, 0 for cancel (don't log). + */ +int askappend(char *filename) +{ + HANDLE hin; + DWORD savemode, i; + + static const char msgtemplate[] = + "The session log file \"%.*s\" already exists.\n" + "You can overwrite it with a new session log,\n" + "append your session log to the end of it,\n" + "or disable session logging for this session.\n" + "Enter \"y\" to wipe the file, \"n\" to append to it,\n" + "or just press Return to disable logging.\n" + "Wipe the log file? (y/n, Return cancels logging) "; + + char line[32]; + + fprintf(stderr, msgtemplate, FILENAME_MAX, filename); + fflush(stderr); + + hin = GetStdHandle(STD_INPUT_HANDLE); + GetConsoleMode(hin, &savemode); + SetConsoleMode(hin, (savemode | ENABLE_ECHO_INPUT | + ENABLE_PROCESSED_INPUT | ENABLE_LINE_INPUT)); + ReadFile(hin, line, sizeof(line) - 1, &i, NULL); + SetConsoleMode(hin, savemode); + + if (line[0] == 'y' || line[0] == 'Y') + return 2; + else if (line[0] == 'n' || line[0] == 'N') + return 1; + else + return 0; +} + +/* + * Warn about the obsolescent key file format. + */ +void old_keyfile_warning(void) +{ + static const char message[] = + "You are loading an SSH 2 private key which has an\n" + "old version of the file format. This means your key\n" + "file is not fully tamperproof. Future versions of\n" + "PuTTY may stop supporting this private key format,\n" + "so we recommend you convert your key to the new\n" + "format.\n" + "\n" + "Once the key is loaded into PuTTYgen, you can perform\n" + "this conversion simply by saving it again.\n"; + + fputs(message, stderr); +} + /* GUI Adaptation - Sept 2000 */ static void send_msg(HWND h, UINT message, WPARAM wParam) { @@ -255,7 +322,9 @@ static void tell_user(FILE * stream, char *fmt, ...) } static void gui_update_stats(char *name, unsigned long size, - int percentage, unsigned long elapsed) + int percentage, unsigned long elapsed, + unsigned long done, unsigned long eta, + unsigned long ratebs) { unsigned int i; @@ -270,6 +339,18 @@ static void gui_update_stats(char *name, unsigned long size, send_msg((HWND) atoi(gui_hwnd), WM_STATS_SIZE, (WPARAM) size); statsize = size; } + if (statdone != done) { + send_msg((HWND) atoi(gui_hwnd), WM_STATS_DONE, (WPARAM) done); + statdone = done; + } + if (stateta != eta) { + send_msg((HWND) atoi(gui_hwnd), WM_STATS_ETA, (WPARAM) eta); + stateta = eta; + } + if (statratebs != ratebs) { + send_msg((HWND) atoi(gui_hwnd), WM_STATS_RATEBS, (WPARAM) ratebs); + statratebs = ratebs; + } if (statelapsed != elapsed) { send_msg((HWND) atoi(gui_hwnd), WM_STATS_ELAPSED, (WPARAM) elapsed); @@ -373,8 +454,6 @@ int from_backend(int is_stderr, char *data, int datalen) return 0; } - inbuf_head = 0; - /* * If this is before the real session begins, just return. */ @@ -578,6 +657,32 @@ static void do_cmd(char *host, char *user, char *cmd) cfg.port = 22; } + /* + * Trim leading whitespace off the hostname if it's there. + */ + { + int space = strspn(cfg.host, " \t"); + memmove(cfg.host, cfg.host+space, 1+strlen(cfg.host)-space); + } + + /* See if host is of the form user@host */ + if (cfg.host[0] != '\0') { + char *atsign = strchr(cfg.host, '@'); + /* Make sure we're not overflowing the user field */ + if (atsign) { + if (atsign - cfg.host < sizeof cfg.username) { + strncpy(cfg.username, cfg.host, atsign - cfg.host); + cfg.username[atsign - cfg.host] = '\0'; + } + memmove(cfg.host, atsign + 1, 1 + strlen(atsign + 1)); + } + } + + /* + * Trim a colon suffix off the hostname if it's there. + */ + cfg.host[strcspn(cfg.host, ":")] = '\0'; + /* Set username */ if (user != NULL && user[0] != '\0') { strncpy(cfg.username, user, sizeof(cfg.username) - 1); @@ -602,6 +707,15 @@ static void do_cmd(char *host, char *user, char *cmd) cfg.port = portnumber; /* + * Disable scary things which shouldn't be enabled for simple + * things like SCP and SFTP: agent forwarding, port forwarding, + * X forwarding. + */ + cfg.x11_forward = 0; + cfg.agentfwd = 0; + cfg.portfwd[0] = cfg.portfwd[1] = '\0'; + + /* * Attempt to start the SFTP subsystem as a first choice, * falling back to the provided scp command if that fails. */ @@ -613,7 +727,7 @@ static void do_cmd(char *host, char *user, char *cmd) back = &ssh_backend; - err = back->init(cfg.host, cfg.port, &realhost); + err = back->init(cfg.host, cfg.port, &realhost, 0); if (err != NULL) bump("ssh_init: %s", err); ssh_scp_init(); @@ -633,26 +747,29 @@ static void print_stats(char *name, unsigned long size, unsigned long done, char etastr[10]; int pct; int len; + int elap; - /* GUI Adaptation - Sept 2000 */ - if (gui_mode) - gui_update_stats(name, size, (int) (100 * (done * 1.0 / size)), - (unsigned long) difftime(now, start)); - else { - if (now > start) - ratebs = (float) done / (now - start); - else - ratebs = (float) done; + elap = (unsigned long) difftime(now, start); - if (ratebs < 1.0) - eta = size - done; - else - eta = (unsigned long) ((size - done) / ratebs); - sprintf(etastr, "%02ld:%02ld:%02ld", - eta / 3600, (eta % 3600) / 60, eta % 60); + if (now > start) + ratebs = (float) done / elap; + else + ratebs = (float) done; + + if (ratebs < 1.0) + eta = size - done; + else + eta = (unsigned long) ((size - done) / ratebs); + sprintf(etastr, "%02ld:%02ld:%02ld", + eta / 3600, (eta % 3600) / 60, eta % 60); - pct = (int) (100.0 * (float) done / size); + pct = (int) (100 * (done * 1.0 / size)); + if (gui_mode) + /* GUI Adaptation - Sept 2000 */ + gui_update_stats(name, size, pct, elap, done, eta, + (unsigned long) ratebs); + else { len = printf("\r%-25.25s | %10ld kB | %5.1f kB/s | ETA: %8s | %3d%%", name, done / 1024, ratebs / 1024.0, etastr, pct); if (len < prev_stats_len) @@ -685,12 +802,17 @@ static char *colon(char *str) /* * Return a pointer to the portion of str that comes after the last - * slash (or backslash, if `local' is TRUE). + * slash (or backslash or colon, if `local' is TRUE). */ static char *stripslashes(char *str, int local) { char *p; + if (local) { + p = strchr(str, ':'); + if (p) str = p+1; + } + p = strrchr(str, '/'); if (p) str = p+1; @@ -771,14 +893,13 @@ void scp_sftp_listdir(char *dirname) struct fxp_names *names; struct fxp_name *ournames; int nnames, namesize; - char *dir; int i; printf("Listing directory %s\n", dirname); dirh = fxp_opendir(dirname); if (dirh == NULL) { - printf("Unable to open %s: %s\n", dir, fxp_error()); + printf("Unable to open %s: %s\n", dirname, fxp_error()); } else { nnames = namesize = 0; ournames = NULL; @@ -789,7 +910,7 @@ void scp_sftp_listdir(char *dirname) if (names == NULL) { if (fxp_error_type() == SSH_FX_EOF) break; - printf("Reading directory %s: %s\n", dir, fxp_error()); + printf("Reading directory %s: %s\n", dirname, fxp_error()); break; } if (names->nnames == 0) { @@ -836,6 +957,7 @@ static struct scp_sftp_dirstack { int namepos, namelen; char *dirpath; char *wildcard; + int matched_something; /* wildcard match set was non-empty */ } *scp_sftp_dirstack_head; static char *scp_sftp_remotepath, *scp_sftp_currentname; static char *scp_sftp_wildcard; @@ -1173,7 +1295,6 @@ int scp_get_sink_action(struct scp_sink_action *act) * Simple case: we are only dealing with one file. */ fname = scp_sftp_remotepath; -printf("oi :%s:\n", fname); must_free_fname = 0; scp_sftp_donethistarget = 1; } else { @@ -1196,12 +1317,11 @@ printf("oi :%s:\n", fname); !wc_match(head->wildcard, head->names[head->namepos].filename)))) head->namepos++; /* skip . and .. */ -printf("ooh\n"); if (head->namepos < head->namelen) { + head->matched_something = 1; fname = dupcat(head->dirpath, "/", head->names[head->namepos++].filename, NULL); -printf("got :%s:\n", fname); must_free_fname = 1; } else { /* @@ -1211,7 +1331,13 @@ printf("got :%s:\n", fname); */ if (head->wildcard) { act->action = SCP_SINK_RETRY; + if (!head->matched_something) { + tell_user(stderr, "pscp: wildcard '%s' matched " + "no files", head->wildcard); + errs++; + } sfree(head->wildcard); + } else { act->action = SCP_SINK_ENDDIR; } @@ -1224,7 +1350,7 @@ printf("got :%s:\n", fname); return 0; } } -printf("filename :%s:\n", fname); + /* * Now we have a filename. Stat it, and see if it's a file * or a directory. @@ -1332,6 +1458,7 @@ printf("filename :%s:\n", fname); newitem->dirpath = dupstr(fname); if (scp_sftp_wildcard) { newitem->wildcard = scp_sftp_wildcard; + newitem->matched_something = 0; scp_sftp_wildcard = NULL; } else { newitem->wildcard = NULL; @@ -1691,9 +1818,7 @@ static void rsource(char *src) static void sink(char *targ, char *src) { char *destfname; - char ch; int targisdir = 0; - int settime; int exists; DWORD attr; HANDLE f; @@ -1727,9 +1852,10 @@ static void sink(char *targ, char *src) * Prevent the remote side from maliciously writing to * files outside the target area by sending a filename * containing `../'. In fact, it shouldn't be sending - * filenames with any slashes in at all; so we'll find - * the last slash or backslash in the filename and use - * only the part after that. (And warn!) + * filenames with any slashes or colons in at all; so + * we'll find the last slash, backslash or colon in the + * filename and use only the part after that. (And + * warn!) * * In addition, we also ensure here that if we're * copying a single file and the target is a directory @@ -1739,23 +1865,27 @@ static void sink(char *targ, char *src) * and the last component of that will fail to match * (the last component of) the name sent. * - * (Well, not always; if `src' is a wildcard, we do + * Well, not always; if `src' is a wildcard, we do * expect to get back filenames that don't correspond - * exactly to it. So we skip this check if `src' - * contains a *, a ? or a []. This is non-ideal - we - * would like to ensure that the returned filename - * actually matches the wildcard pattern - but one of - * SCP's protocol infelicities is that wildcard - * matching is done at the server end _by the server's - * rules_ and so in general this is infeasible. Live - * with it, or upgrade to SFTP.) + * exactly to it. Ideally in this case, we would like + * to ensure that the returned filename actually + * matches the wildcard pattern - but one of SCP's + * protocol infelicities is that wildcard matching is + * done at the server end _by the server's rules_ and + * so in general this is infeasible. Hence, we only + * accept filenames that don't correspond to `src' if + * unsafe mode is enabled or we are using SFTP (which + * resolves remote wildcards on the client side and can + * be trusted). */ char *striptarget, *stripsrc; striptarget = stripslashes(act.name, 1); if (striptarget != act.name) { tell_user(stderr, "warning: remote host sent a compound" - " pathname - possibly malicious! (ignored)"); + " pathname '%s'", act.name); + tell_user(stderr, " renaming local file to '%s'", + striptarget); } /* @@ -1770,10 +1900,16 @@ static void sink(char *targ, char *src) if (src) { stripsrc = stripslashes(src, 1); - if (!stripsrc[strcspn(stripsrc, "*?[]")] && - strcmp(striptarget, stripsrc)) { - tell_user(stderr, "warning: remote host attempted to" - " write to a different filename: disallowing"); + if (strcmp(striptarget, stripsrc) && + !using_sftp && !scp_unsafe_mode) { + tell_user(stderr, "warning: remote host tried to write " + "to a file called '%s'", striptarget); + tell_user(stderr, " when we requested a file " + "called '%s'.", stripsrc); + tell_user(stderr, " If this is a wildcard, " + "consider upgrading to SSH 2 or using"); + tell_user(stderr, " the '-unsafe' option. Renaming" + " of this file has been disallowed."); /* Override the name the server provided with our own. */ striptarget = stripsrc; } @@ -1872,7 +2008,7 @@ static void sink(char *targ, char *src) } (void) scp_finish_filerecv(); sfree(destfname); - sfree(act.name); + sfree(act.buf); } } @@ -1953,13 +2089,6 @@ static void toremote(int argc, char *argv[]) */ srcpath = dupstr(src); last = stripslashes(srcpath, 1); - if (last == srcpath) { - last = strchr(srcpath, ':'); - if (last) - last++; - else - last = srcpath; - } *last = '\0'; dir = FindFirstFile(src, &fdat); @@ -1968,7 +2097,6 @@ static void toremote(int argc, char *argv[]) continue; } do { - char *last; char *filename; /* * Ensure that . and .. are never matched by wildcards, @@ -2144,6 +2272,7 @@ static void usage(void) printf(" -v show verbose messages\n"); printf(" -P port connect to specified port\n"); printf(" -pw passw login with specified password\n"); + printf(" -unsafe allow server-side wildcards (DANGEROUS)\n"); #if 0 /* * -gui is an internal option, used by GUI front ends to get @@ -2194,6 +2323,8 @@ int main(int argc, char *argv[]) gui_mode = 1; } else if (strcmp(argv[i], "-ls") == 0) list = 1; + else if (strcmp(argv[i], "-unsafe") == 0) + scp_unsafe_mode = 1; else if (strcmp(argv[i], "--") == 0) { i++; break;