From cd1f39ab348b0e42d9aed1bcf5b1edc55dc93821 Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Mon, 27 Aug 2001 15:02:52 +0000
Subject: [PATCH] Finally tighten up the server-side wildcard security hole,
 the _right_ way. (SSWs are disabled by default and can be re-enabled using
 `-unsafe', meaning that pscp will _never_ do anything unexpected to your
 local file system unless you explicitly give consent. The sftp-based variant
 will work fine because the corresponding mechanism is _not_ unsafe.)

git-svn-id: svn://svn.tartarus.org/sgt/putty@1212 cda61777-01e9-0310-a592-d414129be87e
---
 scp.c | 43 ++++++++++++++++++++++++++-----------------
 1 file changed, 26 insertions(+), 17 deletions(-)

diff --git a/scp.c b/scp.c
index 7ab31207..8b71390e 100644
--- a/scp.c
+++ b/scp.c
@@ -57,6 +57,7 @@ static int targetshouldbedirectory = 0;
 static int statistics = 1;
 static int portnumber = 0;
 static int prev_stats_len = 0;
+static int scp_unsafe_mode = 0;
 static char *password = NULL;
 static int errs = 0;
 /* GUI Adaptation - Sept 2000 */
@@ -1173,7 +1174,6 @@ int scp_get_sink_action(struct scp_sink_action *act)
 		 * Simple case: we are only dealing with one file.
 		 */
 		fname = scp_sftp_remotepath;
-printf("oi :%s:\n", fname);
 		must_free_fname = 0;
 		scp_sftp_donethistarget = 1;
 	    } else {
@@ -1196,12 +1196,10 @@ printf("oi :%s:\n", fname);
 		     !wc_match(head->wildcard,
 			       head->names[head->namepos].filename))))
 		head->namepos++;       /* skip . and .. */
-printf("ooh\n");
 	    if (head->namepos < head->namelen) {
 		fname = dupcat(head->dirpath, "/",
 			       head->names[head->namepos++].filename,
 			       NULL);
-printf("got :%s:\n", fname);
 		must_free_fname = 1;
 	    } else {
 		/*
@@ -1224,7 +1222,7 @@ printf("got :%s:\n", fname);
 		return 0;
 	    }
 	}
-printf("filename :%s:\n", fname);
+
 	/*
 	 * Now we have a filename. Stat it, and see if it's a file
 	 * or a directory.
@@ -1739,16 +1737,18 @@ static void sink(char *targ, char *src)
 	     * and the last component of that will fail to match
 	     * (the last component of) the name sent.
 	     * 
-	     * (Well, not always; if `src' is a wildcard, we do
+	     * Well, not always; if `src' is a wildcard, we do
 	     * expect to get back filenames that don't correspond
-	     * exactly to it. So we skip this check if `src'
-	     * contains a *, a ? or a []. This is non-ideal - we
-	     * would like to ensure that the returned filename
-	     * actually matches the wildcard pattern - but one of
-	     * SCP's protocol infelicities is that wildcard
-	     * matching is done at the server end _by the server's
-	     * rules_ and so in general this is infeasible. Live
-	     * with it, or upgrade to SFTP.)
+	     * exactly to it. Ideally in this case, we would like
+	     * to ensure that the returned filename actually
+	     * matches the wildcard pattern - but one of SCP's
+	     * protocol infelicities is that wildcard matching is
+	     * done at the server end _by the server's rules_ and
+	     * so in general this is infeasible. Hence, we only
+	     * accept filenames that don't correspond to `src' if
+	     * unsafe mode is enabled or we are using SFTP (which
+	     * resolves remote wildcards on the client side and can
+	     * be trusted).
 	     */
 	    char *striptarget, *stripsrc;
 
@@ -1770,10 +1770,16 @@ static void sink(char *targ, char *src)
 
 	    if (src) {
 		stripsrc = stripslashes(src, 1);
-		if (!stripsrc[strcspn(stripsrc, "*?[]")] &&
-		    strcmp(striptarget, stripsrc)) {
-		    tell_user(stderr, "warning: remote host attempted to"
-			      " write to a different filename: disallowing");
+		if (strcmp(striptarget, stripsrc) &&
+		    !using_sftp && !scp_unsafe_mode) {
+		    tell_user(stderr, "warning: remote host tried to write "
+			      "to a file called '%s'", striptarget);
+		    tell_user(stderr, "         when we requested a file "
+			      "called '%s'.", stripsrc);
+		    tell_user(stderr, "         If this is a wildcard, "
+			      "consider upgrading to SSH 2 or using");
+		    tell_user(stderr, "         the '-unsafe' option. Renaming"
+			      " of this file has been disallowed.");
 		    /* Override the name the server provided with our own. */
 		    striptarget = stripsrc;
 		}
@@ -2144,6 +2150,7 @@ static void usage(void)
     printf("  -v        show verbose messages\n");
     printf("  -P port   connect to specified port\n");
     printf("  -pw passw login with specified password\n");
+    printf("  -unsafe   allow server-side wildcards (DANGEROUS)\n");
 #if 0
     /*
      * -gui is an internal option, used by GUI front ends to get
@@ -2194,6 +2201,8 @@ int main(int argc, char *argv[])
 	    gui_mode = 1;
 	} else if (strcmp(argv[i], "-ls") == 0)
 	    list = 1;
+	else if (strcmp(argv[i], "-unsafe") == 0)
+	    scp_unsafe_mode = 1;
 	else if (strcmp(argv[i], "--") == 0) {
 	    i++;
 	    break;
-- 
2.11.0