X-Git-Url: https://git.distorted.org.uk/~mdw/sgt/putty/blobdiff_plain/37dfb97a93019ac86cce81f023cd8a33df69b2d8..4ed34d251770cb8dd7f13217976d1dec9452b5e6:/scp.c diff --git a/scp.c b/scp.c index 7b5dbe2a..8237f902 100644 --- a/scp.c +++ b/scp.c @@ -1,11 +1,15 @@ /* - * scp.c - Scp (Secure Copy) client for PuTTY. - * Joris van Rantwijk, Simon Tatham + * scp.c - Scp (Secure Copy) client for PuTTY. + * Joris van Rantwijk, Simon Tatham * - * This is mainly based on ssh-1.2.26/scp.c by Timo Rinne & Tatu Ylonen. - * They, in turn, used stuff from BSD rcp. - * - * Adaptations to enable connecting a GUI by L. Gunnarsson - Sept 2000 + * This is mainly based on ssh-1.2.26/scp.c by Timo Rinne & Tatu Ylonen. + * They, in turn, used stuff from BSD rcp. + * + * (SGT, 2001-09-10: Joris van Rantwijk assures me that although + * this file as originally submitted was inspired by, and + * _structurally_ based on, ssh-1.2.26's scp.c, there wasn't any + * actual code duplicated, so the above comment shouldn't give rise + * to licensing issues.) */ #include @@ -22,9 +26,6 @@ #include #include #include -/* GUI Adaptation - Sept 2000 */ -#include -#include #define PUTTY_DO_GLOBALS #include "putty.h" @@ -57,6 +58,7 @@ static int targetshouldbedirectory = 0; static int statistics = 1; static int portnumber = 0; static int prev_stats_len = 0; +static int scp_unsafe_mode = 0; static char *password = NULL; static int errs = 0; /* GUI Adaptation - Sept 2000 */ @@ -89,7 +91,7 @@ void logevent(char *string) { } -void ldisc_send(char *buf, int len) +void ldisc_send(char *buf, int len, int interactive) { /* * This is only here because of the calls to ldisc_send(NULL, @@ -373,8 +375,6 @@ int from_backend(int is_stderr, char *data, int datalen) return 0; } - inbuf_head = 0; - /* * If this is before the real session begins, just return. */ @@ -602,6 +602,15 @@ static void do_cmd(char *host, char *user, char *cmd) cfg.port = portnumber; /* + * Disable scary things which shouldn't be enabled for simple + * things like SCP and SFTP: agent forwarding, port forwarding, + * X forwarding. + */ + cfg.x11_forward = 0; + cfg.agentfwd = 0; + cfg.portfwd[0] = cfg.portfwd[1] = '\0'; + + /* * Attempt to start the SFTP subsystem as a first choice, * falling back to the provided scp command if that fails. */ @@ -651,7 +660,7 @@ static void print_stats(char *name, unsigned long size, unsigned long done, sprintf(etastr, "%02ld:%02ld:%02ld", eta / 3600, (eta % 3600) / 60, eta % 60); - pct = (int) (100.0 * (float) done / size); + pct = (int) (100 * (done * 1.0 / size)); len = printf("\r%-25.25s | %10ld kB | %5.1f kB/s | ETA: %8s | %3d%%", name, done / 1024, ratebs / 1024.0, etastr, pct); @@ -685,12 +694,17 @@ static char *colon(char *str) /* * Return a pointer to the portion of str that comes after the last - * slash (or backslash, if `local' is TRUE). + * slash (or backslash or colon, if `local' is TRUE). */ static char *stripslashes(char *str, int local) { char *p; + if (local) { + p = strchr(str, ':'); + if (p) str = p+1; + } + p = strrchr(str, '/'); if (p) str = p+1; @@ -771,14 +785,13 @@ void scp_sftp_listdir(char *dirname) struct fxp_names *names; struct fxp_name *ournames; int nnames, namesize; - char *dir; int i; printf("Listing directory %s\n", dirname); dirh = fxp_opendir(dirname); if (dirh == NULL) { - printf("Unable to open %s: %s\n", dir, fxp_error()); + printf("Unable to open %s: %s\n", dirname, fxp_error()); } else { nnames = namesize = 0; ournames = NULL; @@ -789,7 +802,7 @@ void scp_sftp_listdir(char *dirname) if (names == NULL) { if (fxp_error_type() == SSH_FX_EOF) break; - printf("Reading directory %s: %s\n", dir, fxp_error()); + printf("Reading directory %s: %s\n", dirname, fxp_error()); break; } if (names->nnames == 0) { @@ -836,6 +849,7 @@ static struct scp_sftp_dirstack { int namepos, namelen; char *dirpath; char *wildcard; + int matched_something; /* wildcard match set was non-empty */ } *scp_sftp_dirstack_head; static char *scp_sftp_remotepath, *scp_sftp_currentname; static char *scp_sftp_wildcard; @@ -1089,6 +1103,14 @@ int scp_sink_setup(char *source, int preserve, int recursive) * slash. */ lastpart[-1] = '\0'; + } else if (!*dupsource) { + /* + * The remains of dupsource are _empty_ - the whole + * pathname was a wildcard. Hence we need to + * replace it with ".". + */ + sfree(dupsource); + dupsource = dupstr("."); } /* @@ -1188,6 +1210,7 @@ int scp_get_sink_action(struct scp_sink_action *act) head->names[head->namepos].filename)))) head->namepos++; /* skip . and .. */ if (head->namepos < head->namelen) { + head->matched_something = 1; fname = dupcat(head->dirpath, "/", head->names[head->namepos++].filename, NULL); @@ -1200,7 +1223,13 @@ int scp_get_sink_action(struct scp_sink_action *act) */ if (head->wildcard) { act->action = SCP_SINK_RETRY; + if (!head->matched_something) { + tell_user(stderr, "pscp: wildcard '%s' matched " + "no files", head->wildcard); + errs++; + } sfree(head->wildcard); + } else { act->action = SCP_SINK_ENDDIR; } @@ -1321,6 +1350,7 @@ int scp_get_sink_action(struct scp_sink_action *act) newitem->dirpath = dupstr(fname); if (scp_sftp_wildcard) { newitem->wildcard = scp_sftp_wildcard; + newitem->matched_something = 0; scp_sftp_wildcard = NULL; } else { newitem->wildcard = NULL; @@ -1680,9 +1710,7 @@ static void rsource(char *src) static void sink(char *targ, char *src) { char *destfname; - char ch; int targisdir = 0; - int settime; int exists; DWORD attr; HANDLE f; @@ -1716,9 +1744,10 @@ static void sink(char *targ, char *src) * Prevent the remote side from maliciously writing to * files outside the target area by sending a filename * containing `../'. In fact, it shouldn't be sending - * filenames with any slashes in at all; so we'll find - * the last slash or backslash in the filename and use - * only the part after that. (And warn!) + * filenames with any slashes or colons in at all; so + * we'll find the last slash, backslash or colon in the + * filename and use only the part after that. (And + * warn!) * * In addition, we also ensure here that if we're * copying a single file and the target is a directory @@ -1728,23 +1757,27 @@ static void sink(char *targ, char *src) * and the last component of that will fail to match * (the last component of) the name sent. * - * (Well, not always; if `src' is a wildcard, we do + * Well, not always; if `src' is a wildcard, we do * expect to get back filenames that don't correspond - * exactly to it. So we skip this check if `src' - * contains a *, a ? or a []. This is non-ideal - we - * would like to ensure that the returned filename - * actually matches the wildcard pattern - but one of - * SCP's protocol infelicities is that wildcard - * matching is done at the server end _by the server's - * rules_ and so in general this is infeasible. Live - * with it, or upgrade to SFTP.) + * exactly to it. Ideally in this case, we would like + * to ensure that the returned filename actually + * matches the wildcard pattern - but one of SCP's + * protocol infelicities is that wildcard matching is + * done at the server end _by the server's rules_ and + * so in general this is infeasible. Hence, we only + * accept filenames that don't correspond to `src' if + * unsafe mode is enabled or we are using SFTP (which + * resolves remote wildcards on the client side and can + * be trusted). */ char *striptarget, *stripsrc; striptarget = stripslashes(act.name, 1); if (striptarget != act.name) { tell_user(stderr, "warning: remote host sent a compound" - " pathname - possibly malicious! (ignored)"); + " pathname '%s'", act.name); + tell_user(stderr, " renaming local file to '%s'", + striptarget); } /* @@ -1759,10 +1792,16 @@ static void sink(char *targ, char *src) if (src) { stripsrc = stripslashes(src, 1); - if (!stripsrc[strcspn(stripsrc, "*?[]")] && - strcmp(striptarget, stripsrc)) { - tell_user(stderr, "warning: remote host attempted to" - " write to a different filename: disallowing"); + if (strcmp(striptarget, stripsrc) && + !using_sftp && !scp_unsafe_mode) { + tell_user(stderr, "warning: remote host tried to write " + "to a file called '%s'", striptarget); + tell_user(stderr, " when we requested a file " + "called '%s'.", stripsrc); + tell_user(stderr, " If this is a wildcard, " + "consider upgrading to SSH 2 or using"); + tell_user(stderr, " the '-unsafe' option. Renaming" + " of this file has been disallowed."); /* Override the name the server provided with our own. */ striptarget = stripsrc; } @@ -1861,7 +1900,7 @@ static void sink(char *targ, char *src) } (void) scp_finish_filerecv(); sfree(destfname); - sfree(act.name); + sfree(act.buf); } } @@ -1942,13 +1981,6 @@ static void toremote(int argc, char *argv[]) */ srcpath = dupstr(src); last = stripslashes(srcpath, 1); - if (last == srcpath) { - last = strchr(srcpath, ':'); - if (last) - last++; - else - last = srcpath; - } *last = '\0'; dir = FindFirstFile(src, &fdat); @@ -1957,7 +1989,6 @@ static void toremote(int argc, char *argv[]) continue; } do { - char *last; char *filename; /* * Ensure that . and .. are never matched by wildcards, @@ -2133,6 +2164,7 @@ static void usage(void) printf(" -v show verbose messages\n"); printf(" -P port connect to specified port\n"); printf(" -pw passw login with specified password\n"); + printf(" -unsafe allow server-side wildcards (DANGEROUS)\n"); #if 0 /* * -gui is an internal option, used by GUI front ends to get @@ -2183,6 +2215,8 @@ int main(int argc, char *argv[]) gui_mode = 1; } else if (strcmp(argv[i], "-ls") == 0) list = 1; + else if (strcmp(argv[i], "-unsafe") == 0) + scp_unsafe_mode = 1; else if (strcmp(argv[i], "--") == 0) { i++; break;