X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/fd5e5847eb0f834ce8124f0574bd3cfaf878db53..2ed9fb8a1161813bd21e396475d4810f27fac7eb:/scp.c diff --git a/scp.c b/scp.c index cd4fff75..aca1cf39 100644 --- a/scp.c +++ b/scp.c @@ -22,9 +22,6 @@ #include #include #include -/* GUI Adaptation - Sept 2000 */ -#include -#include #define PUTTY_DO_GLOBALS #include "putty.h" @@ -57,6 +54,7 @@ static int targetshouldbedirectory = 0; static int statistics = 1; static int portnumber = 0; static int prev_stats_len = 0; +static int scp_unsafe_mode = 0; static char *password = NULL; static int errs = 0; /* GUI Adaptation - Sept 2000 */ @@ -651,7 +649,7 @@ static void print_stats(char *name, unsigned long size, unsigned long done, sprintf(etastr, "%02ld:%02ld:%02ld", eta / 3600, (eta % 3600) / 60, eta % 60); - pct = (int) (100.0 * (float) done / size); + pct = (int) (100 * (done * 1.0 / size)); len = printf("\r%-25.25s | %10ld kB | %5.1f kB/s | ETA: %8s | %3d%%", name, done / 1024, ratebs / 1024.0, etastr, pct); @@ -685,17 +683,24 @@ static char *colon(char *str) /* * Return a pointer to the portion of str that comes after the last - * slash or backslash. + * slash (or backslash or colon, if `local' is TRUE). */ -static char *stripslashes(char *str) +static char *stripslashes(char *str, int local) { char *p; + if (local) { + p = strchr(str, ':'); + if (p) str = p+1; + } + p = strrchr(str, '/'); if (p) str = p+1; - p = strrchr(str, '\\'); - if (p) str = p+1; + if (local) { + p = strrchr(str, '\\'); + if (p) str = p+1; + } return str; } @@ -769,14 +774,13 @@ void scp_sftp_listdir(char *dirname) struct fxp_names *names; struct fxp_name *ournames; int nnames, namesize; - char *dir; int i; printf("Listing directory %s\n", dirname); dirh = fxp_opendir(dirname); if (dirh == NULL) { - printf("Unable to open %s: %s\n", dir, fxp_error()); + printf("Unable to open %s: %s\n", dirname, fxp_error()); } else { nnames = namesize = 0; ournames = NULL; @@ -787,7 +791,7 @@ void scp_sftp_listdir(char *dirname) if (names == NULL) { if (fxp_error_type() == SSH_FX_EOF) break; - printf("Reading directory %s: %s\n", dir, fxp_error()); + printf("Reading directory %s: %s\n", dirname, fxp_error()); break; } if (names->nnames == 0) { @@ -833,8 +837,11 @@ static struct scp_sftp_dirstack { struct fxp_name *names; int namepos, namelen; char *dirpath; + char *wildcard; + int matched_something; /* wildcard match set was non-empty */ } *scp_sftp_dirstack_head; static char *scp_sftp_remotepath, *scp_sftp_currentname; +static char *scp_sftp_wildcard; static int scp_sftp_targetisdir, scp_sftp_donethistarget; static int scp_sftp_preserve, scp_sftp_recursive; static unsigned long scp_sftp_mtime, scp_sftp_atime; @@ -1058,15 +1065,79 @@ int scp_send_enddir(void) * right at the start, whereas scp_sink_init is called to * initialise every level of recursion in the protocol. */ -void scp_sink_setup(char *source, int preserve, int recursive) +int scp_sink_setup(char *source, int preserve, int recursive) { if (using_sftp) { - scp_sftp_remotepath = dupstr(source); + char *newsource; + /* + * It's possible that the source string we've been given + * contains a wildcard. If so, we must split the directory + * away from the wildcard itself (throwing an error if any + * wildcardness comes before the final slash) and arrange + * things so that a dirstack entry will be set up. + */ + newsource = smalloc(1+strlen(source)); + if (!wc_unescape(newsource, source)) { + /* Yes, here we go; it's a wildcard. Bah. */ + char *dupsource, *lastpart, *dirpart, *wildcard; + dupsource = dupstr(source); + lastpart = stripslashes(dupsource, 0); + wildcard = dupstr(lastpart); + *lastpart = '\0'; + if (*dupsource && dupsource[1]) { + /* + * The remains of dupsource are at least two + * characters long, meaning the pathname wasn't + * empty or just `/'. Hence, we remove the trailing + * slash. + */ + lastpart[-1] = '\0'; + } else if (!*dupsource) { + /* + * The remains of dupsource are _empty_ - the whole + * pathname was a wildcard. Hence we need to + * replace it with ".". + */ + sfree(dupsource); + dupsource = dupstr("."); + } + + /* + * Now we have separated our string into dupsource (the + * directory part) and wildcard. Both of these will + * need freeing at some point. Next step is to remove + * wildcard escapes from the directory part, throwing + * an error if it contains a real wildcard. + */ + dirpart = smalloc(1+strlen(dupsource)); + if (!wc_unescape(dirpart, dupsource)) { + tell_user(stderr, "%s: multiple-level wildcards unsupported", + source); + errs++; + sfree(dirpart); + sfree(wildcard); + sfree(dupsource); + return 1; + } + + /* + * Now we have dirpart (unescaped, ie a valid remote + * path), and wildcard (a wildcard). This will be + * sufficient to arrange a dirstack entry. + */ + scp_sftp_remotepath = dirpart; + scp_sftp_wildcard = wildcard; + sfree(dupsource); + } else { + scp_sftp_remotepath = newsource; + scp_sftp_wildcard = NULL; + } scp_sftp_preserve = preserve; scp_sftp_recursive = recursive; scp_sftp_donethistarget = 0; scp_sftp_dirstack_head = NULL; } + return 0; } int scp_sink_init(void) @@ -1080,6 +1151,7 @@ int scp_sink_init(void) #define SCP_SINK_FILE 1 #define SCP_SINK_DIR 2 #define SCP_SINK_ENDDIR 3 +#define SCP_SINK_RETRY 4 /* not an action; just try again */ struct scp_sink_action { int action; /* FILE, DIR, ENDDIR */ char *buf; /* will need freeing after use */ @@ -1121,9 +1193,13 @@ int scp_get_sink_action(struct scp_sink_action *act) */ struct scp_sftp_dirstack *head = scp_sftp_dirstack_head; while (head->namepos < head->namelen && - is_dots(head->names[head->namepos].filename)) + (is_dots(head->names[head->namepos].filename) || + (head->wildcard && + !wc_match(head->wildcard, + head->names[head->namepos].filename)))) head->namepos++; /* skip . and .. */ if (head->namepos < head->namelen) { + head->matched_something = 1; fname = dupcat(head->dirpath, "/", head->names[head->namepos++].filename, NULL); @@ -1131,15 +1207,27 @@ int scp_get_sink_action(struct scp_sink_action *act) } else { /* * We've come to the end of the list; pop it off - * the stack and return an ENDDIR action. + * the stack and return an ENDDIR action (or RETRY + * if this was a wildcard match). */ - + if (head->wildcard) { + act->action = SCP_SINK_RETRY; + if (!head->matched_something) { + tell_user(stderr, "pscp: wildcard '%s' matched " + "no files", head->wildcard); + errs++; + } + sfree(head->wildcard); + + } else { + act->action = SCP_SINK_ENDDIR; + } + sfree(head->dirpath); sfree(head->names); scp_sftp_dirstack_head = head->next; sfree(head); - act->action = SCP_SINK_ENDDIR; return 0; } } @@ -1164,22 +1252,36 @@ int scp_get_sink_action(struct scp_sink_action *act) struct fxp_names *names; /* - * It's a directory. If we're not in recursive - * mode, this just merits a complaint. + * It's a directory. If we're not in recursive mode, + * this merits a complaint (which is fatal if the name + * was specified directly, but not if it was matched by + * a wildcard). + * + * We skip this complaint completely if + * scp_sftp_wildcard is set, because that's an + * indication that we're not actually supposed to + * _recursively_ transfer the dir, just scan it for + * things matching the wildcard. */ - if (!scp_sftp_recursive) { + if (!scp_sftp_recursive && !scp_sftp_wildcard) { tell_user(stderr, "pscp: %s: is a directory", fname); errs++; if (must_free_fname) sfree(fname); - return 1; + if (scp_sftp_dirstack_head) { + act->action = SCP_SINK_RETRY; + return 0; + } else { + return 1; + } } /* * Otherwise, the fun begins. We must fxp_opendir() the * directory, slurp the filenames into memory, return - * SCP_SINK_DIR, and set targetisdir. The next time - * we're called, we will run through the list of - * filenames one by one. + * SCP_SINK_DIR (unless this is a wildcard match), and + * set targetisdir. The next time we're called, we will + * run through the list of filenames one by one, + * matching them against a wildcard if present. * * If targetisdir is _already_ set (meaning we're * already in the middle of going through another such @@ -1235,20 +1337,31 @@ int scp_get_sink_action(struct scp_sink_action *act) newitem->dirpath = fname; else newitem->dirpath = dupstr(fname); + if (scp_sftp_wildcard) { + newitem->wildcard = scp_sftp_wildcard; + newitem->matched_something = 0; + scp_sftp_wildcard = NULL; + } else { + newitem->wildcard = NULL; + } scp_sftp_dirstack_head = newitem; - act->action = SCP_SINK_DIR; - act->buf = dupstr(stripslashes(fname)); - act->name = act->buf; - act->size = 0; /* duhh, it's a directory */ - act->mode = 07777 & attrs.permissions; - if (scp_sftp_preserve && - (attrs.flags & SSH_FILEXFER_ATTR_ACMODTIME)) { - act->atime = attrs.atime; - act->mtime = attrs.mtime; - act->settime = 1; - } else - act->settime = 0; + if (newitem->wildcard) { + act->action = SCP_SINK_RETRY; + } else { + act->action = SCP_SINK_DIR; + act->buf = dupstr(stripslashes(fname, 0)); + act->name = act->buf; + act->size = 0; /* duhh, it's a directory */ + act->mode = 07777 & attrs.permissions; + if (scp_sftp_preserve && + (attrs.flags & SSH_FILEXFER_ATTR_ACMODTIME)) { + act->atime = attrs.atime; + act->mtime = attrs.mtime; + act->settime = 1; + } else + act->settime = 0; + } return 0; } else { @@ -1256,7 +1369,7 @@ int scp_get_sink_action(struct scp_sink_action *act) * It's a file. Return SCP_SINK_FILE. */ act->action = SCP_SINK_FILE; - act->buf = dupstr(stripslashes(fname)); + act->buf = dupstr(stripslashes(fname, 0)); act->name = act->buf; if (attrs.flags & SSH_FILEXFER_ATTR_SIZE) { if (uint64_compare(attrs.size, @@ -1586,9 +1699,7 @@ static void rsource(char *src) static void sink(char *targ, char *src) { char *destfname; - char ch; int targisdir = 0; - int settime; int exists; DWORD attr; HANDLE f; @@ -1614,14 +1725,18 @@ static void sink(char *targ, char *src) if (act.action == SCP_SINK_ENDDIR) return; + if (act.action == SCP_SINK_RETRY) + continue; + if (targisdir) { /* * Prevent the remote side from maliciously writing to * files outside the target area by sending a filename * containing `../'. In fact, it shouldn't be sending - * filenames with any slashes in at all; so we'll find - * the last slash or backslash in the filename and use - * only the part after that. (And warn!) + * filenames with any slashes or colons in at all; so + * we'll find the last slash, backslash or colon in the + * filename and use only the part after that. (And + * warn!) * * In addition, we also ensure here that if we're * copying a single file and the target is a directory @@ -1631,23 +1746,27 @@ static void sink(char *targ, char *src) * and the last component of that will fail to match * (the last component of) the name sent. * - * (Well, not always; if `src' is a wildcard, we do + * Well, not always; if `src' is a wildcard, we do * expect to get back filenames that don't correspond - * exactly to it. So we skip this check if `src' - * contains a *, a ? or a []. This is non-ideal - we - * would like to ensure that the returned filename - * actually matches the wildcard pattern - but one of - * SCP's protocol infelicities is that wildcard - * matching is done at the server end _by the server's - * rules_ and so in general this is infeasible. Live - * with it, or upgrade to SFTP.) + * exactly to it. Ideally in this case, we would like + * to ensure that the returned filename actually + * matches the wildcard pattern - but one of SCP's + * protocol infelicities is that wildcard matching is + * done at the server end _by the server's rules_ and + * so in general this is infeasible. Hence, we only + * accept filenames that don't correspond to `src' if + * unsafe mode is enabled or we are using SFTP (which + * resolves remote wildcards on the client side and can + * be trusted). */ char *striptarget, *stripsrc; - striptarget = stripslashes(act.name); + striptarget = stripslashes(act.name, 1); if (striptarget != act.name) { tell_user(stderr, "warning: remote host sent a compound" - " pathname - possibly malicious! (ignored)"); + " pathname '%s'", act.name); + tell_user(stderr, " renaming local file to '%s'", + striptarget); } /* @@ -1661,11 +1780,17 @@ static void sink(char *targ, char *src) } if (src) { - stripsrc = stripslashes(src); - if (!stripsrc[strcspn(stripsrc, "*?[]")] && - strcmp(striptarget, stripsrc)) { - tell_user(stderr, "warning: remote host attempted to" - " write to a different filename: disallowing"); + stripsrc = stripslashes(src, 1); + if (strcmp(striptarget, stripsrc) && + !using_sftp && !scp_unsafe_mode) { + tell_user(stderr, "warning: remote host tried to write " + "to a file called '%s'", striptarget); + tell_user(stderr, " when we requested a file " + "called '%s'.", stripsrc); + tell_user(stderr, " If this is a wildcard, " + "consider upgrading to SSH 2 or using"); + tell_user(stderr, " the '-unsafe' option. Renaming" + " of this file has been disallowed."); /* Override the name the server provided with our own. */ striptarget = stripsrc; } @@ -1715,7 +1840,7 @@ static void sink(char *targ, char *src) stat_bytes = 0; stat_starttime = time(NULL); stat_lasttime = 0; - stat_name = stripslashes(destfname); + stat_name = stripslashes(destfname, 1); received = 0; while (received < act.size) { @@ -1764,7 +1889,7 @@ static void sink(char *targ, char *src) } (void) scp_finish_filerecv(); sfree(destfname); - sfree(act.name); + sfree(act.buf); } } @@ -1844,14 +1969,7 @@ static void toremote(int argc, char *argv[]) * filenames returned from Find{First,Next}File. */ srcpath = dupstr(src); - last = stripslashes(srcpath); - if (last == srcpath) { - last = strchr(srcpath, ':'); - if (last) - last++; - else - last = srcpath; - } + last = stripslashes(srcpath, 1); *last = '\0'; dir = FindFirstFile(src, &fdat); @@ -1860,7 +1978,6 @@ static void toremote(int argc, char *argv[]) continue; } do { - char *last; char *filename; /* * Ensure that . and .. are never matched by wildcards, @@ -1937,7 +2054,8 @@ static void tolocal(int argc, char *argv[]) do_cmd(host, user, cmd); sfree(cmd); - scp_sink_setup(src, preserve, recursive); + if (scp_sink_setup(src, preserve, recursive)) + return; sink(targ, src); } @@ -2035,6 +2153,7 @@ static void usage(void) printf(" -v show verbose messages\n"); printf(" -P port connect to specified port\n"); printf(" -pw passw login with specified password\n"); + printf(" -unsafe allow server-side wildcards (DANGEROUS)\n"); #if 0 /* * -gui is an internal option, used by GUI front ends to get @@ -2085,6 +2204,8 @@ int main(int argc, char *argv[]) gui_mode = 1; } else if (strcmp(argv[i], "-ls") == 0) list = 1; + else if (strcmp(argv[i], "-unsafe") == 0) + scp_unsafe_mode = 1; else if (strcmp(argv[i], "--") == 0) { i++; break;