2002-10-31 19:49:52 +00:00
|
|
|
/*
|
|
|
|
|
* PLink - a command-line (stdin/stdout) variant of PuTTY.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
2003-01-09 18:28:01 +00:00
|
|
|
#include <errno.h>
|
2002-10-31 19:49:52 +00:00
|
|
|
#include <assert.h>
|
|
|
|
|
#include <stdarg.h>
|
2003-01-09 18:28:01 +00:00
|
|
|
#include <signal.h>
|
2002-10-31 19:49:52 +00:00
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <termios.h>
|
2003-01-09 18:06:29 +00:00
|
|
|
#include <pwd.h>
|
|
|
|
|
#include <sys/ioctl.h>
|
2005-09-14 10:53:39 +00:00
|
|
|
#include <sys/time.h>
|
2002-10-31 19:49:52 +00:00
|
|
|
|
|
|
|
|
#include "putty.h"
|
2020-01-29 06:19:30 +00:00
|
|
|
#include "ssh.h"
|
2002-10-31 19:49:52 +00:00
|
|
|
#include "storage.h"
|
|
|
|
|
#include "tree234.h"
|
|
|
|
|
|
|
|
|
|
#define MAX_STDIN_BACKLOG 4096
|
|
|
|
|
|
2018-09-11 14:17:16 +00:00
|
|
|
static LogContext *logctx;
|
2006-08-29 18:50:07 +00:00
|
|
|
|
2007-09-29 12:27:45 +00:00
|
|
|
static struct termios orig_termios;
|
|
|
|
|
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
void cmdline_error(const char *fmt, ...)
|
2002-10-31 19:49:52 +00:00
|
|
|
{
|
|
|
|
|
va_list ap;
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
va_start(ap, fmt);
|
|
|
|
|
console_print_error_msg_fmt_v("plink", fmt, ap);
|
2002-10-31 19:49:52 +00:00
|
|
|
va_end(ap);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
static bool local_tty = false; /* do we have a local tty? */
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2018-09-11 15:23:38 +00:00
|
|
|
static Backend *backend;
|
2020-02-02 10:00:42 +00:00
|
|
|
static Conf *conf;
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2003-01-09 18:06:29 +00:00
|
|
|
/*
|
2015-01-05 23:41:24 +00:00
|
|
|
* Default settings that are specific to Unix plink.
|
2003-01-09 18:06:29 +00:00
|
|
|
*/
|
2003-01-14 18:43:45 +00:00
|
|
|
char *platform_default_s(const char *name)
|
2003-01-09 18:06:29 +00:00
|
|
|
{
|
|
|
|
|
if (!strcmp(name, "TermType"))
|
2019-09-08 19:29:00 +00:00
|
|
|
return dupstr(getenv("TERM"));
|
2006-08-28 14:29:02 +00:00
|
|
|
if (!strcmp(name, "SerialLine"))
|
2019-09-08 19:29:00 +00:00
|
|
|
return dupstr("/dev/ttyS0");
|
2003-01-09 18:06:29 +00:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-29 19:57:31 +00:00
|
|
|
bool platform_default_b(const char *name, bool def)
|
|
|
|
|
{
|
|
|
|
|
return def;
|
|
|
|
|
}
|
|
|
|
|
|
2003-01-14 18:43:45 +00:00
|
|
|
int platform_default_i(const char *name, int def)
|
2003-01-09 18:06:29 +00:00
|
|
|
{
|
|
|
|
|
return def;
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-01 17:38:59 +00:00
|
|
|
FontSpec *platform_default_fontspec(const char *name)
|
2003-02-01 12:54:40 +00:00
|
|
|
{
|
2011-10-01 17:38:59 +00:00
|
|
|
return fontspec_new("");
|
2003-02-01 12:54:40 +00:00
|
|
|
}
|
|
|
|
|
|
2011-10-02 11:01:57 +00:00
|
|
|
Filename *platform_default_filename(const char *name)
|
2003-02-01 12:54:40 +00:00
|
|
|
{
|
|
|
|
|
if (!strcmp(name, "LogFileName"))
|
2019-09-08 19:29:00 +00:00
|
|
|
return filename_from_str("putty.log");
|
2003-02-01 12:54:40 +00:00
|
|
|
else
|
2019-09-08 19:29:00 +00:00
|
|
|
return filename_from_str("");
|
2003-02-01 12:54:40 +00:00
|
|
|
}
|
|
|
|
|
|
2003-01-14 18:43:45 +00:00
|
|
|
char *x_get_default(const char *key)
|
2002-10-31 19:49:52 +00:00
|
|
|
{
|
2019-09-08 19:29:00 +00:00
|
|
|
return NULL; /* this is a stub */
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
static void plink_echoedit_update(Seat *seat, bool echo, bool edit)
|
2002-10-31 19:49:52 +00:00
|
|
|
{
|
|
|
|
|
/* Update stdin read mode to reflect changes in line discipline. */
|
|
|
|
|
struct termios mode;
|
|
|
|
|
|
2005-04-21 13:57:08 +00:00
|
|
|
if (!local_tty) return;
|
|
|
|
|
|
2002-10-31 19:49:52 +00:00
|
|
|
mode = orig_termios;
|
|
|
|
|
|
|
|
|
|
if (echo)
|
2019-09-08 19:29:00 +00:00
|
|
|
mode.c_lflag |= ECHO;
|
2002-10-31 19:49:52 +00:00
|
|
|
else
|
2019-09-08 19:29:00 +00:00
|
|
|
mode.c_lflag &= ~ECHO;
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2005-01-15 20:39:27 +00:00
|
|
|
if (edit) {
|
2019-09-08 19:29:00 +00:00
|
|
|
mode.c_iflag |= ICRNL;
|
|
|
|
|
mode.c_lflag |= ISIG | ICANON;
|
|
|
|
|
mode.c_oflag |= OPOST;
|
2005-01-15 20:39:27 +00:00
|
|
|
} else {
|
2019-09-08 19:29:00 +00:00
|
|
|
mode.c_iflag &= ~ICRNL;
|
|
|
|
|
mode.c_lflag &= ~(ISIG | ICANON);
|
|
|
|
|
mode.c_oflag &= ~OPOST;
|
|
|
|
|
/* Solaris sets these to unhelpful values */
|
|
|
|
|
mode.c_cc[VMIN] = 1;
|
|
|
|
|
mode.c_cc[VTIME] = 0;
|
|
|
|
|
/* FIXME: perhaps what we do with IXON/IXOFF should be an
|
|
|
|
|
* argument to the echoedit_update() method, to allow
|
|
|
|
|
* implementation of SSH-2 "xon-xoff" and Rlogin's
|
|
|
|
|
* equivalent? */
|
|
|
|
|
mode.c_iflag &= ~IXON;
|
|
|
|
|
mode.c_iflag &= ~IXOFF;
|
2005-01-15 20:39:27 +00:00
|
|
|
}
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
2005-05-14 22:01:10 +00:00
|
|
|
* Mark parity errors and (more important) BREAK on input. This
|
|
|
|
|
* is more complex than it need be because POSIX-2001 suggests
|
|
|
|
|
* that escaping of valid 0xff in the input stream is dependent on
|
|
|
|
|
* IGNPAR being clear even though marking of BREAK isn't. NetBSD
|
|
|
|
|
* 2.0 goes one worse and makes it dependent on INPCK too. We
|
|
|
|
|
* deal with this by forcing these flags into a useful state and
|
|
|
|
|
* then faking the state in which we found them in from_tty() if
|
|
|
|
|
* we get passed a parity or framing error.
|
|
|
|
|
*/
|
|
|
|
|
mode.c_iflag = (mode.c_iflag | INPCK | PARMRK) & ~IGNPAR;
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2007-09-24 21:31:45 +00:00
|
|
|
tcsetattr(STDIN_FILENO, TCSANOW, &mode);
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
2005-04-21 13:57:08 +00:00
|
|
|
/* Helper function to extract a special character from a termios. */
|
|
|
|
|
static char *get_ttychar(struct termios *t, int index)
|
|
|
|
|
{
|
|
|
|
|
cc_t c = t->c_cc[index];
|
|
|
|
|
#if defined(_POSIX_VDISABLE)
|
|
|
|
|
if (c == _POSIX_VDISABLE)
|
2019-09-08 19:29:00 +00:00
|
|
|
return dupstr("");
|
2005-04-21 13:57:08 +00:00
|
|
|
#endif
|
|
|
|
|
return dupprintf("^<%d>", c);
|
|
|
|
|
}
|
|
|
|
|
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
static char *plink_get_ttymode(Seat *seat, const char *mode)
|
2005-04-21 13:57:08 +00:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Propagate appropriate terminal modes from the local terminal,
|
|
|
|
|
* if any.
|
|
|
|
|
*/
|
|
|
|
|
if (!local_tty) return NULL;
|
|
|
|
|
|
|
|
|
|
#define GET_CHAR(ourname, uxname) \
|
|
|
|
|
do { \
|
2019-09-08 19:29:00 +00:00
|
|
|
if (strcmp(mode, ourname) == 0) \
|
|
|
|
|
return get_ttychar(&orig_termios, uxname); \
|
2005-04-21 13:57:08 +00:00
|
|
|
} while(0)
|
|
|
|
|
#define GET_BOOL(ourname, uxname, uxmemb, transform) \
|
|
|
|
|
do { \
|
2019-09-08 19:29:00 +00:00
|
|
|
if (strcmp(mode, ourname) == 0) { \
|
|
|
|
|
bool b = (orig_termios.uxmemb & uxname) != 0; \
|
|
|
|
|
transform; \
|
|
|
|
|
return dupprintf("%d", b); \
|
|
|
|
|
} \
|
2005-04-21 13:57:08 +00:00
|
|
|
} while (0)
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Modes that want to be the same on all terminal devices involved.
|
|
|
|
|
*/
|
|
|
|
|
/* All the special characters supported by SSH */
|
|
|
|
|
#if defined(VINTR)
|
|
|
|
|
GET_CHAR("INTR", VINTR);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VQUIT)
|
|
|
|
|
GET_CHAR("QUIT", VQUIT);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VERASE)
|
|
|
|
|
GET_CHAR("ERASE", VERASE);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VKILL)
|
|
|
|
|
GET_CHAR("KILL", VKILL);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VEOF)
|
|
|
|
|
GET_CHAR("EOF", VEOF);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VEOL)
|
|
|
|
|
GET_CHAR("EOL", VEOL);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VEOL2)
|
|
|
|
|
GET_CHAR("EOL2", VEOL2);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VSTART)
|
|
|
|
|
GET_CHAR("START", VSTART);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VSTOP)
|
|
|
|
|
GET_CHAR("STOP", VSTOP);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VSUSP)
|
|
|
|
|
GET_CHAR("SUSP", VSUSP);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VDSUSP)
|
|
|
|
|
GET_CHAR("DSUSP", VDSUSP);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VREPRINT)
|
|
|
|
|
GET_CHAR("REPRINT", VREPRINT);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VWERASE)
|
|
|
|
|
GET_CHAR("WERASE", VWERASE);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VLNEXT)
|
|
|
|
|
GET_CHAR("LNEXT", VLNEXT);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VFLUSH)
|
|
|
|
|
GET_CHAR("FLUSH", VFLUSH);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VSWTCH)
|
|
|
|
|
GET_CHAR("SWTCH", VSWTCH);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VSTATUS)
|
|
|
|
|
GET_CHAR("STATUS", VSTATUS);
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(VDISCARD)
|
|
|
|
|
GET_CHAR("DISCARD", VDISCARD);
|
|
|
|
|
#endif
|
|
|
|
|
/* Modes that "configure" other major modes. These should probably be
|
|
|
|
|
* considered as user preferences. */
|
|
|
|
|
/* Configuration of ICANON */
|
|
|
|
|
#if defined(ECHOK)
|
|
|
|
|
GET_BOOL("ECHOK", ECHOK, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(ECHOKE)
|
|
|
|
|
GET_BOOL("ECHOKE", ECHOKE, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(ECHOE)
|
|
|
|
|
GET_BOOL("ECHOE", ECHOE, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(ECHONL)
|
|
|
|
|
GET_BOOL("ECHONL", ECHONL, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(XCASE)
|
|
|
|
|
GET_BOOL("XCASE", XCASE, c_lflag, );
|
2016-05-07 10:35:59 +00:00
|
|
|
#endif
|
|
|
|
|
#if defined(IUTF8)
|
|
|
|
|
GET_BOOL("IUTF8", IUTF8, c_iflag, );
|
2005-04-21 13:57:08 +00:00
|
|
|
#endif
|
|
|
|
|
/* Configuration of ECHO */
|
|
|
|
|
#if defined(ECHOCTL)
|
|
|
|
|
GET_BOOL("ECHOCTL", ECHOCTL, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
/* Configuration of IXON/IXOFF */
|
|
|
|
|
#if defined(IXANY)
|
|
|
|
|
GET_BOOL("IXANY", IXANY, c_iflag, );
|
|
|
|
|
#endif
|
2005-04-25 23:57:45 +00:00
|
|
|
/* Configuration of OPOST */
|
2005-04-26 00:03:50 +00:00
|
|
|
#if defined(OLCUC)
|
|
|
|
|
GET_BOOL("OLCUC", OLCUC, c_oflag, );
|
|
|
|
|
#endif
|
2005-04-25 23:57:45 +00:00
|
|
|
#if defined(ONLCR)
|
|
|
|
|
GET_BOOL("ONLCR", ONLCR, c_oflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(OCRNL)
|
|
|
|
|
GET_BOOL("OCRNL", OCRNL, c_oflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(ONOCR)
|
|
|
|
|
GET_BOOL("ONOCR", ONOCR, c_oflag, );
|
|
|
|
|
#endif
|
2005-05-08 11:47:59 +00:00
|
|
|
#if defined(ONLRET)
|
2005-04-25 23:57:45 +00:00
|
|
|
GET_BOOL("ONLRET", ONLRET, c_oflag, );
|
|
|
|
|
#endif
|
2005-04-21 13:57:08 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Modes that want to be set in only one place, and that we have
|
|
|
|
|
* squashed locally.
|
|
|
|
|
*/
|
|
|
|
|
#if defined(ISIG)
|
|
|
|
|
GET_BOOL("ISIG", ISIG, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(ICANON)
|
|
|
|
|
GET_BOOL("ICANON", ICANON, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(ECHO)
|
|
|
|
|
GET_BOOL("ECHO", ECHO, c_lflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(IXON)
|
|
|
|
|
GET_BOOL("IXON", IXON, c_iflag, );
|
|
|
|
|
#endif
|
|
|
|
|
#if defined(IXOFF)
|
|
|
|
|
GET_BOOL("IXOFF", IXOFF, c_iflag, );
|
|
|
|
|
#endif
|
2005-04-25 23:57:45 +00:00
|
|
|
#if defined(OPOST)
|
|
|
|
|
GET_BOOL("OPOST", OPOST, c_oflag, );
|
|
|
|
|
#endif
|
2005-04-21 13:57:08 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We do not propagate the following modes:
|
|
|
|
|
* - Parity/serial settings, which are a local affair and don't
|
|
|
|
|
* make sense propagated over SSH's 8-bit byte-stream.
|
|
|
|
|
* IGNPAR PARMRK INPCK CS7 CS8 PARENB PARODD
|
|
|
|
|
* - Things that want to be enabled in one place that we don't
|
|
|
|
|
* squash locally.
|
2005-04-26 00:03:50 +00:00
|
|
|
* IUCLC
|
2005-04-21 13:57:08 +00:00
|
|
|
* - Status bits.
|
|
|
|
|
* PENDIN
|
|
|
|
|
* - Things I don't know what to do with. (FIXME)
|
2005-04-25 23:57:45 +00:00
|
|
|
* ISTRIP IMAXBEL NOFLSH TOSTOP IEXTEN
|
|
|
|
|
* INLCR IGNCR ICRNL
|
2005-04-21 13:57:08 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#undef GET_CHAR
|
|
|
|
|
#undef GET_BOOL
|
|
|
|
|
|
|
|
|
|
/* Fall through to here for unrecognised names, or ones that are
|
|
|
|
|
* unsupported on this platform */
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2002-10-31 19:49:52 +00:00
|
|
|
void cleanup_termios(void)
|
|
|
|
|
{
|
2005-04-21 13:57:08 +00:00
|
|
|
if (local_tty)
|
2019-09-08 19:29:00 +00:00
|
|
|
tcsetattr(STDIN_FILENO, TCSANOW, &orig_termios);
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
2020-02-02 10:00:43 +00:00
|
|
|
static bufchain stdout_data, stderr_data;
|
|
|
|
|
static bufchain_sink stdout_bcs, stderr_bcs;
|
|
|
|
|
static StripCtrlChars *stdout_scc, *stderr_scc;
|
|
|
|
|
static BinarySink *stdout_bs, *stderr_bs;
|
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.
The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)
For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.
So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.
This all applies the same way to both Unix and Windows Plink.
2019-02-20 07:03:57 +00:00
|
|
|
|
2020-02-02 10:00:43 +00:00
|
|
|
static enum { EOF_NO, EOF_PENDING, EOF_SENT } outgoingeof;
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2019-02-06 20:42:44 +00:00
|
|
|
size_t try_output(bool is_stderr)
|
2002-10-31 19:49:52 +00:00
|
|
|
{
|
|
|
|
|
bufchain *chain = (is_stderr ? &stderr_data : &stdout_data);
|
2007-09-24 21:31:45 +00:00
|
|
|
int fd = (is_stderr ? STDERR_FILENO : STDOUT_FILENO);
|
2019-02-06 20:42:44 +00:00
|
|
|
ssize_t ret;
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2011-09-13 11:44:03 +00:00
|
|
|
if (bufchain_size(chain) > 0) {
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool prev_nonblock = nonblock(fd);
|
2019-02-06 20:46:45 +00:00
|
|
|
ptrlen senddata;
|
2011-09-13 11:44:03 +00:00
|
|
|
do {
|
2019-02-06 20:46:45 +00:00
|
|
|
senddata = bufchain_prefix(chain);
|
|
|
|
|
ret = write(fd, senddata.ptr, senddata.len);
|
2011-09-13 11:44:03 +00:00
|
|
|
if (ret > 0)
|
|
|
|
|
bufchain_consume(chain, ret);
|
2019-02-06 20:46:45 +00:00
|
|
|
} while (ret == senddata.len && bufchain_size(chain) != 0);
|
2013-07-19 18:10:02 +00:00
|
|
|
if (!prev_nonblock)
|
|
|
|
|
no_nonblock(fd);
|
2011-09-13 11:44:03 +00:00
|
|
|
if (ret < 0 && errno != EAGAIN) {
|
|
|
|
|
perror(is_stderr ? "stderr: write" : "stdout: write");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (outgoingeof == EOF_PENDING && bufchain_size(&stdout_data) == 0) {
|
|
|
|
|
close(STDOUT_FILENO);
|
|
|
|
|
outgoingeof = EOF_SENT;
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
2007-10-02 21:43:53 +00:00
|
|
|
return bufchain_size(&stdout_data) + bufchain_size(&stderr_data);
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 20:42:44 +00:00
|
|
|
static size_t plink_output(
|
|
|
|
|
Seat *seat, bool is_stderr, const void *data, size_t len)
|
2002-10-31 19:49:52 +00:00
|
|
|
{
|
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.
The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)
For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.
So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.
This all applies the same way to both Unix and Windows Plink.
2019-02-20 07:03:57 +00:00
|
|
|
assert(is_stderr || outgoingeof == EOF_NO);
|
|
|
|
|
|
|
|
|
|
BinarySink *bs = is_stderr ? stderr_bs : stdout_bs;
|
|
|
|
|
put_data(bs, data, len);
|
|
|
|
|
|
|
|
|
|
return try_output(is_stderr);
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
static bool plink_eof(Seat *seat)
|
2011-09-13 11:44:03 +00:00
|
|
|
{
|
|
|
|
|
assert(outgoingeof == EOF_NO);
|
|
|
|
|
outgoingeof = EOF_PENDING;
|
2018-10-29 19:50:29 +00:00
|
|
|
try_output(false);
|
|
|
|
|
return false; /* do not respond to incoming EOF with outgoing */
|
2011-09-13 11:44:03 +00:00
|
|
|
}
|
|
|
|
|
|
Complete rework of terminal userpass input system.
The system for handling seat_get_userpass_input has always been
structured differently between GUI PuTTY and CLI tools like Plink.
In the CLI tools, password input is read directly from the OS
terminal/console device by console_get_userpass_input; this means that
you need to ensure the same terminal input data _hasn't_ already been
consumed by the main event loop and sent on to the backend. This is
achieved by the backend_sendok() method, which tells the event loop
when the backend has finished issuing password prompts, and hence,
when it's safe to start passing standard input to backend_send().
But in the GUI tools, input generated by the terminal window has
always been sent straight to backend_send(), regardless of whether
backend_sendok() says it wants it. So the terminal-based
implementation of username and password prompts has to work by
consuming input data that had _already_ been passed to the backend -
hence, any backend that needs to do that must keep its input on a
bufchain, and pass that bufchain to seat_get_userpass_input.
It's awkward that these two totally different systems coexist in the
first place. And now that SSH proxying needs to present interactive
prompts of its own, it's clear which one should win: the CLI style is
the Right Thing. So this change reworks the GUI side of the mechanism
to be more similar: terminal data now goes into a queue in the Ldisc,
and is not sent on to the backend until the backend says it's ready
for it via backend_sendok(). So terminal-based userpass prompts can
now consume data directly from that queue during the connection setup
stage.
As a result, the 'bufchain *' parameter has vanished from all the
userpass_input functions (both the official implementations of the
Seat trait method, and term_get_userpass_input() to which some of
those implementations delegate). The only function that actually used
that bufchain, namely term_get_userpass_input(), now instead reads
from the ldisc's input queue via a couple of new Ldisc functions.
(Not _trivial_ functions, since input buffered by Ldisc can be a
mixture of raw bytes and session specials like SS_EOL! The input queue
inside Ldisc is a bufchain containing a fiddly binary encoding that
can represent an arbitrary interleaving of those things.)
This greatly simplifies the calls to seat_get_userpass_input in
backends, which now don't have to mess about with passing their own
user_input bufchain around, or toggling their want_user_input flag
back and forth to request data to put on to that bufchain.
But the flip side is that now there has to be some _other_ method for
notifying the terminal when there's more input to be consumed during
an interactive prompt, and for notifying the backend when prompt input
has finished so that it can proceed to the next stage of the protocol.
This is done by a pair of extra callbacks: when more data is put on to
Ldisc's input queue, it triggers a call to term_get_userpass_input,
and when term_get_userpass_input finishes, it calls a callback
function provided in the prompts_t.
Therefore, any use of a prompts_t which *might* be asynchronous must
fill in the latter callback when setting up the prompts_t. In SSH, the
callback is centralised into a common PPL helper function, which
reinvokes the same PPL's process_queue coroutine; in rlogin we have to
set it up ourselves.
I'm sorry for this large and sprawling patch: I tried fairly hard to
break it up into individually comprehensible sub-patches, but I just
couldn't tease out any part of it that would stand sensibly alone.
2021-09-14 10:57:21 +00:00
|
|
|
static int plink_get_userpass_input(Seat *seat, prompts_t *p)
|
2005-10-30 20:24:09 +00:00
|
|
|
{
|
|
|
|
|
int ret;
|
2018-05-18 06:22:56 +00:00
|
|
|
ret = cmdline_get_passwd_input(p);
|
2005-10-30 20:24:09 +00:00
|
|
|
if (ret == -1)
|
2019-09-08 19:29:00 +00:00
|
|
|
ret = console_get_userpass_input(p);
|
2005-10-30 20:24:09 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-30 06:40:21 +00:00
|
|
|
static bool plink_seat_interactive(Seat *seat)
|
|
|
|
|
{
|
|
|
|
|
return (!*conf_get_str(conf, CONF_remote_cmd) &&
|
|
|
|
|
!*conf_get_str(conf, CONF_remote_cmd2) &&
|
|
|
|
|
!*conf_get_str(conf, CONF_ssh_nc_host));
|
|
|
|
|
}
|
|
|
|
|
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
static const SeatVtable plink_seat_vt = {
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
.output = plink_output,
|
|
|
|
|
.eof = plink_eof,
|
New Seat callback, seat_sent().
This is used to notify the Seat that some data has been cleared from
the backend's outgoing data buffer. In other words, it notifies the
Seat that it might be worth calling backend_sendbuffer() again.
We've never needed this before, because until now, Seats have always
been the 'main program' part of the application, meaning they were
also in control of the event loop. So they've been able to call
backend_sendbuffer() proactively, every time they go round the event
loop, instead of having to wait for a callback.
But now, the SSH proxy is the first example of a Seat without
privileged access to the event loop, so it has no way to find out that
the backend's sendbuffer has got smaller. And without that, it can't
pass that notification on to plug_sent, to unblock in turn whatever
the proxied connection might have been waiting to send.
In fact, before this commit, sshproxy.c never called plug_sent at all.
As a result, large data uploads over an SSH jump host would hang
forever as soon as the outgoing buffer filled up for the first time:
the main backend (to which sshproxy.c was acting as a Socket) would
carefully stop filling up the buffer, and then never receive the call
to plug_sent that would cause it to start again.
The new callback is ignored everywhere except in sshproxy.c. It might
be a good idea to remove backend_sendbuffer() entirely and convert all
previous uses of it into non-empty implementations of this callback,
so that we've only got one system; but for the moment, I haven't done
that.
2021-06-27 12:52:48 +00:00
|
|
|
.sent = nullseat_sent,
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
.get_userpass_input = plink_get_userpass_input,
|
2021-09-12 10:48:42 +00:00
|
|
|
.notify_session_started = nullseat_notify_session_started,
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
.notify_remote_exit = nullseat_notify_remote_exit,
|
2021-05-22 11:47:51 +00:00
|
|
|
.notify_remote_disconnect = nullseat_notify_remote_disconnect,
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
.connection_fatal = console_connection_fatal,
|
|
|
|
|
.update_specials_menu = nullseat_update_specials_menu,
|
|
|
|
|
.get_ttymode = plink_get_ttymode,
|
|
|
|
|
.set_busy_status = nullseat_set_busy_status,
|
|
|
|
|
.verify_ssh_host_key = console_verify_ssh_host_key,
|
|
|
|
|
.confirm_weak_crypto_primitive = console_confirm_weak_crypto_primitive,
|
|
|
|
|
.confirm_weak_cached_hostkey = console_confirm_weak_cached_hostkey,
|
|
|
|
|
.is_utf8 = nullseat_is_never_utf8,
|
|
|
|
|
.echoedit_update = plink_echoedit_update,
|
|
|
|
|
.get_x_display = nullseat_get_x_display,
|
|
|
|
|
.get_windowid = nullseat_get_windowid,
|
|
|
|
|
.get_window_pixel_size = nullseat_get_window_pixel_size,
|
|
|
|
|
.stripctrl_new = console_stripctrl_new,
|
|
|
|
|
.set_trust_status = console_set_trust_status,
|
2021-09-12 08:52:46 +00:00
|
|
|
.can_set_trust_status = console_can_set_trust_status,
|
Change vtable defs to use C99 designated initialisers.
This is a sweeping change applied across the whole code base by a spot
of Emacs Lisp. Now, everywhere I declare a vtable filled with function
pointers (and the occasional const data member), all the members of
the vtable structure are initialised by name using the '.fieldname =
value' syntax introduced in C99.
We were already using this syntax for a handful of things in the new
key-generation progress report system, so it's not new to the code
base as a whole.
The advantage is that now, when a vtable only declares a subset of the
available fields, I can initialise the rest to NULL or zero just by
leaving them out. This is most dramatic in a couple of the outlying
vtables in things like psocks (which has a ConnectionLayerVtable
containing only one non-NULL method), but less dramatically, it means
that the new 'flags' field in BackendVtable can be completely left out
of every backend definition except for the SUPDUP one which defines it
to a nonzero value. Similarly, the test_for_upstream method only used
by SSH doesn't have to be mentioned in the rest of the backends;
network Plugs for listening sockets don't have to explicitly null out
'receive' and 'sent', and vice versa for 'accepting', and so on.
While I'm at it, I've normalised the declarations so they don't use
the unnecessarily verbose 'struct' keyword. Also a handful of them
weren't const; now they are.
2020-03-10 21:06:29 +00:00
|
|
|
.verbose = cmdline_seat_verbose,
|
|
|
|
|
.interactive = plink_seat_interactive,
|
|
|
|
|
.get_cursor_position = nullseat_get_cursor_position,
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
};
|
|
|
|
|
static Seat plink_seat[1] = {{ &plink_seat_vt }};
|
|
|
|
|
|
2005-05-14 22:01:10 +00:00
|
|
|
/*
|
|
|
|
|
* Handle data from a local tty in PARMRK format.
|
|
|
|
|
*/
|
2007-01-20 14:13:57 +00:00
|
|
|
static void from_tty(void *vbuf, unsigned len)
|
2005-05-14 22:01:10 +00:00
|
|
|
{
|
2007-01-20 14:13:57 +00:00
|
|
|
char *p, *q, *end, *buf = vbuf;
|
2005-05-14 22:01:10 +00:00
|
|
|
static enum {NORMAL, FF, FF00} state = NORMAL;
|
|
|
|
|
|
|
|
|
|
p = buf; end = buf + len;
|
|
|
|
|
while (p < end) {
|
2019-09-08 19:29:00 +00:00
|
|
|
switch (state) {
|
|
|
|
|
case NORMAL:
|
|
|
|
|
if (*p == '\xff') {
|
|
|
|
|
p++;
|
|
|
|
|
state = FF;
|
|
|
|
|
} else {
|
|
|
|
|
q = memchr(p, '\xff', end - p);
|
|
|
|
|
if (q == NULL) q = end;
|
2018-09-11 15:23:38 +00:00
|
|
|
backend_send(backend, p, q - p);
|
2019-09-08 19:29:00 +00:00
|
|
|
p = q;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case FF:
|
|
|
|
|
if (*p == '\xff') {
|
2018-09-11 15:23:38 +00:00
|
|
|
backend_send(backend, p, 1);
|
2019-09-08 19:29:00 +00:00
|
|
|
p++;
|
|
|
|
|
state = NORMAL;
|
|
|
|
|
} else if (*p == '\0') {
|
|
|
|
|
p++;
|
|
|
|
|
state = FF00;
|
|
|
|
|
} else abort();
|
|
|
|
|
break;
|
|
|
|
|
case FF00:
|
|
|
|
|
if (*p == '\0') {
|
Rework special-commands system to add an integer argument.
In order to list cross-certifiable host keys in the GUI specials menu,
the SSH backend has been inventing new values on the end of the
Telnet_Special enumeration, starting from the value TS_LOCALSTART.
This is inelegant, and also makes it awkward to break up special
handlers (e.g. to dispatch different specials to different SSH
layers), since if all you know about a special is that it's somewhere
in the TS_LOCALSTART+n space, you can't tell what _general kind_ of
thing it is. Also, if I ever need another open-ended set of specials
in future, I'll have to remember which TS_LOCALSTART+n codes are in
which set.
So here's a revamp that causes every special to take an extra integer
argument. For all previously numbered specials, this argument is
passed as zero and ignored, but there's a new main special code for
SSH host key cross-certification, in which the integer argument is an
index into the backend's list of available keys. TS_LOCALSTART is now
a thing of the past: if I need any other open-ended sets of specials
in future, I can add a new top-level code with a nicely separated
space of arguments.
While I'm at it, I've removed the legacy misnomer 'Telnet_Special'
from the code completely; the enum is now SessionSpecialCode, the
struct containing full details of a menu entry is SessionSpecial, and
the enum values now start SS_ rather than TS_.
2018-09-24 08:35:52 +00:00
|
|
|
backend_special(backend, SS_BRK, 0);
|
2019-09-08 19:29:00 +00:00
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* Pretend that PARMRK wasn't set. This involves
|
|
|
|
|
* faking what INPCK and IGNPAR would have done if
|
|
|
|
|
* we hadn't overridden them. Unfortunately, we
|
|
|
|
|
* can't do this entirely correctly because INPCK
|
|
|
|
|
* distinguishes between framing and parity
|
|
|
|
|
* errors, but PARMRK format represents both in
|
|
|
|
|
* the same way. We assume that parity errors are
|
|
|
|
|
* more common than framing errors, and hence
|
|
|
|
|
* treat all input errors as being subject to
|
|
|
|
|
* INPCK.
|
|
|
|
|
*/
|
|
|
|
|
if (orig_termios.c_iflag & INPCK) {
|
|
|
|
|
/* If IGNPAR is set, we throw away the character. */
|
|
|
|
|
if (!(orig_termios.c_iflag & IGNPAR)) {
|
|
|
|
|
/* PE/FE get passed on as NUL. */
|
|
|
|
|
*p = 0;
|
2018-09-11 15:23:38 +00:00
|
|
|
backend_send(backend, p, 1);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* INPCK not set. Assume we got a parity error. */
|
2018-09-11 15:23:38 +00:00
|
|
|
backend_send(backend, p, 1);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
p++;
|
|
|
|
|
state = NORMAL;
|
|
|
|
|
}
|
2005-05-14 22:01:10 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-02 10:00:43 +00:00
|
|
|
static int signalpipe[2];
|
2003-01-09 18:28:01 +00:00
|
|
|
|
|
|
|
|
void sigwinch(int signum)
|
|
|
|
|
{
|
2009-08-07 00:19:04 +00:00
|
|
|
if (write(signalpipe[1], "x", 1) <= 0)
|
2019-09-08 19:29:00 +00:00
|
|
|
/* not much we can do about it */;
|
2003-01-09 18:28:01 +00:00
|
|
|
}
|
|
|
|
|
|
2002-10-31 19:49:52 +00:00
|
|
|
/*
|
|
|
|
|
* Short description of parameters.
|
|
|
|
|
*/
|
|
|
|
|
static void usage(void)
|
|
|
|
|
{
|
2014-11-22 16:38:01 +00:00
|
|
|
printf("Plink: command-line connection utility\n");
|
2002-10-31 19:49:52 +00:00
|
|
|
printf("%s\n", ver);
|
|
|
|
|
printf("Usage: plink [options] [user@]host [command]\n");
|
|
|
|
|
printf(" (\"host\" can also be a PuTTY saved session name)\n");
|
|
|
|
|
printf("Options:\n");
|
2005-03-19 02:26:58 +00:00
|
|
|
printf(" -V print version information and exit\n");
|
|
|
|
|
printf(" -pgpfp print PGP key fingerprints and exit\n");
|
2002-10-31 19:49:52 +00:00
|
|
|
printf(" -v show verbose messages\n");
|
|
|
|
|
printf(" -load sessname Load settings from saved session\n");
|
2009-08-13 22:01:20 +00:00
|
|
|
printf(" -ssh -telnet -rlogin -raw -serial\n");
|
2004-08-19 13:15:02 +00:00
|
|
|
printf(" force use of a particular protocol\n");
|
2021-02-21 16:41:36 +00:00
|
|
|
printf(" -ssh-connection\n");
|
|
|
|
|
printf(" force use of the bare ssh-connection protocol\n");
|
2002-10-31 19:49:52 +00:00
|
|
|
printf(" -P port connect to specified port\n");
|
|
|
|
|
printf(" -l user connect with specified username\n");
|
|
|
|
|
printf(" -batch disable all interactive prompts\n");
|
2017-02-11 23:03:46 +00:00
|
|
|
printf(" -proxycmd command\n");
|
|
|
|
|
printf(" use 'command' as local proxy\n");
|
2014-09-20 22:51:27 +00:00
|
|
|
printf(" -sercfg configuration-string (e.g. 19200,8,n,1,X)\n");
|
|
|
|
|
printf(" Specify the serial configuration (serial only)\n");
|
2002-10-31 19:49:52 +00:00
|
|
|
printf("The following options only apply to SSH connections:\n");
|
|
|
|
|
printf(" -pw passw login with specified password\n");
|
2004-01-20 12:46:36 +00:00
|
|
|
printf(" -D [listen-IP:]listen-port\n");
|
|
|
|
|
printf(" Dynamic SOCKS-based port forwarding\n");
|
|
|
|
|
printf(" -L [listen-IP:]listen-port:host:port\n");
|
|
|
|
|
printf(" Forward local port to remote address\n");
|
|
|
|
|
printf(" -R [listen-IP:]listen-port:host:port\n");
|
|
|
|
|
printf(" Forward remote port to local address\n");
|
2002-10-31 19:49:52 +00:00
|
|
|
printf(" -X -x enable / disable X11 forwarding\n");
|
|
|
|
|
printf(" -A -a enable / disable agent forwarding\n");
|
|
|
|
|
printf(" -t -T enable / disable pty allocation\n");
|
2021-04-19 14:57:13 +00:00
|
|
|
printf(" -1 -2 force use of particular SSH protocol version\n");
|
2004-12-30 16:45:11 +00:00
|
|
|
printf(" -4 -6 force use of IPv4 or IPv6\n");
|
2002-10-31 19:49:52 +00:00
|
|
|
printf(" -C enable compression\n");
|
2014-09-20 22:49:47 +00:00
|
|
|
printf(" -i key private key file for user authentication\n");
|
2006-02-19 12:52:28 +00:00
|
|
|
printf(" -noagent disable use of Pageant\n");
|
|
|
|
|
printf(" -agent enable use of Pageant\n");
|
New option to reject 'trivial' success of userauth.
Suggested by Manfred Kaiser, who also wrote most of this patch
(although outlying parts, like documentation and SSH-1 support, are by
me).
This is a second line of defence against the kind of spoofing attacks
in which a malicious or compromised SSH server rushes the client
through the userauth phase of SSH without actually requiring any auth
inputs (passwords or signatures or whatever), and then at the start of
the connection phase it presents something like a spoof prompt,
intended to be taken for part of userauth by the user but in fact with
some more sinister purpose.
Our existing line of defence against this is the trust sigil system,
and as far as I know, that's still working. This option allows a bit of
extra defence in depth: if you don't expect your SSH server to
trivially accept authentication in the first place, then enabling this
option will cause PuTTY to disconnect if it unexpectedly does so,
without the user having to spot the presence or absence of a fiddly
little sigil anywhere.
Several types of authentication count as 'trivial'. The obvious one is
the SSH-2 "none" method, which clients always try first so that the
failure message will tell them what else they can try, and which a
server can instead accept in order to authenticate you unconditionally.
But there are two other ways to do it that we know of: one is to run
keyboard-interactive authentication and send an empty INFO_REQUEST
packet containing no actual prompts for the user, and another even
weirder one is to send USERAUTH_SUCCESS in response to the user's
preliminary *offer* of a public key (instead of sending the usual PK_OK
to request an actual signature from the key).
This new option detects all of those, by clearing the 'is_trivial_auth'
flag only when we send some kind of substantive authentication response
(be it a password, a k-i prompt response, a signature, or a GSSAPI
token). So even if there's a further path through the userauth maze we
haven't spotted, that somehow avoids sending anything substantive, this
strategy should still pick it up.
2021-06-19 14:39:15 +00:00
|
|
|
printf(" -no-trivial-auth\n");
|
|
|
|
|
printf(" disconnect if SSH authentication succeeds trivially\n");
|
2017-07-06 08:18:27 +00:00
|
|
|
printf(" -noshare disable use of connection sharing\n");
|
|
|
|
|
printf(" -share enable use of connection sharing\n");
|
2021-03-27 17:33:54 +00:00
|
|
|
printf(" -hostkey keyid\n");
|
2014-09-20 22:49:47 +00:00
|
|
|
printf(" manually specify a host key (may be repeated)\n");
|
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.
The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)
For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.
So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.
This all applies the same way to both Unix and Windows Plink.
2019-02-20 07:03:57 +00:00
|
|
|
printf(" -sanitise-stderr, -sanitise-stdout, "
|
|
|
|
|
"-no-sanitise-stderr, -no-sanitise-stdout\n");
|
|
|
|
|
printf(" do/don't strip control chars from standard "
|
|
|
|
|
"output/error\n");
|
2019-03-10 14:42:33 +00:00
|
|
|
printf(" -no-antispoof omit anti-spoofing prompt after "
|
|
|
|
|
"authentication\n");
|
2005-03-01 00:33:18 +00:00
|
|
|
printf(" -m file read remote command(s) from file\n");
|
2003-08-29 19:21:49 +00:00
|
|
|
printf(" -s remote command is an SSH subsystem (SSH-2 only)\n");
|
2004-10-15 23:32:01 +00:00
|
|
|
printf(" -N don't start a shell/command (SSH-2 only)\n");
|
2006-08-28 17:47:43 +00:00
|
|
|
printf(" -nc host:port\n");
|
|
|
|
|
printf(" open tunnel in place of session (SSH-2 only)\n");
|
2015-11-08 11:57:39 +00:00
|
|
|
printf(" -sshlog file\n");
|
|
|
|
|
printf(" -sshrawlog file\n");
|
|
|
|
|
printf(" log protocol details to a file\n");
|
2020-11-25 15:12:56 +00:00
|
|
|
printf(" -logoverwrite\n");
|
|
|
|
|
printf(" -logappend\n");
|
|
|
|
|
printf(" control what happens when a log file already exists\n");
|
2015-10-22 00:48:35 +00:00
|
|
|
printf(" -shareexists\n");
|
|
|
|
|
printf(" test whether a connection-sharing upstream exists\n");
|
2004-04-17 20:25:09 +00:00
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void version(void)
|
|
|
|
|
{
|
2017-01-21 14:55:53 +00:00
|
|
|
char *buildinfo_text = buildinfo("\n");
|
|
|
|
|
printf("plink: %s\n%s\n", ver, buildinfo_text);
|
|
|
|
|
sfree(buildinfo_text);
|
2017-02-15 19:50:14 +00:00
|
|
|
exit(0);
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
2011-12-08 19:15:57 +00:00
|
|
|
void frontend_net_error_pending(void) {}
|
|
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
const bool share_can_be_downstream = true;
|
|
|
|
|
const bool share_can_be_upstream = true;
|
2013-11-17 14:05:41 +00:00
|
|
|
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
const bool buildinfo_gtk_relevant = false;
|
2017-02-22 22:10:05 +00:00
|
|
|
|
2020-01-30 06:40:22 +00:00
|
|
|
const unsigned cmdline_tooltype =
|
|
|
|
|
TOOLTYPE_HOST_ARG |
|
|
|
|
|
TOOLTYPE_HOST_ARG_CAN_BE_SESSION |
|
|
|
|
|
TOOLTYPE_HOST_ARG_PROTOCOL_PREFIX |
|
|
|
|
|
TOOLTYPE_HOST_ARG_FROM_LAUNCHABLE_LOAD;
|
|
|
|
|
|
2021-02-02 18:19:56 +00:00
|
|
|
static bool seen_stdin_eof = false;
|
2020-02-07 19:14:32 +00:00
|
|
|
|
|
|
|
|
static bool plink_pw_setup(void *vctx, pollwrapper *pw)
|
|
|
|
|
{
|
|
|
|
|
pollwrap_add_fd_rwx(pw, signalpipe[0], SELECT_R);
|
|
|
|
|
|
2021-02-02 18:19:56 +00:00
|
|
|
if (!seen_stdin_eof &&
|
2020-02-07 19:14:32 +00:00
|
|
|
backend_connected(backend) &&
|
|
|
|
|
backend_sendok(backend) &&
|
|
|
|
|
backend_sendbuffer(backend) < MAX_STDIN_BACKLOG) {
|
|
|
|
|
/* If we're OK to send, then try to read from stdin. */
|
|
|
|
|
pollwrap_add_fd_rwx(pw, STDIN_FILENO, SELECT_R);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bufchain_size(&stdout_data) > 0) {
|
|
|
|
|
/* If we have data for stdout, try to write to stdout. */
|
|
|
|
|
pollwrap_add_fd_rwx(pw, STDOUT_FILENO, SELECT_W);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bufchain_size(&stderr_data) > 0) {
|
|
|
|
|
/* If we have data for stderr, try to write to stderr. */
|
|
|
|
|
pollwrap_add_fd_rwx(pw, STDERR_FILENO, SELECT_W);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void plink_pw_check(void *vctx, pollwrapper *pw)
|
|
|
|
|
{
|
|
|
|
|
if (pollwrap_check_fd_rwx(pw, signalpipe[0], SELECT_R)) {
|
|
|
|
|
char c[1];
|
|
|
|
|
struct winsize size;
|
|
|
|
|
if (read(signalpipe[0], c, 1) <= 0)
|
|
|
|
|
/* ignore error */;
|
|
|
|
|
/* ignore its value; it'll be `x' */
|
|
|
|
|
if (ioctl(STDIN_FILENO, TIOCGWINSZ, (void *)&size) >= 0)
|
|
|
|
|
backend_size(backend, size.ws_col, size.ws_row);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pollwrap_check_fd_rwx(pw, STDIN_FILENO, SELECT_R)) {
|
|
|
|
|
char buf[4096];
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (backend_connected(backend)) {
|
|
|
|
|
ret = read(STDIN_FILENO, buf, sizeof(buf));
|
|
|
|
|
noise_ultralight(NOISE_SOURCE_IOLEN, ret);
|
|
|
|
|
if (ret < 0) {
|
|
|
|
|
perror("stdin: read");
|
|
|
|
|
exit(1);
|
|
|
|
|
} else if (ret == 0) {
|
|
|
|
|
backend_special(backend, SS_EOF, 0);
|
2021-02-02 18:19:56 +00:00
|
|
|
seen_stdin_eof = true;
|
2020-02-07 19:14:32 +00:00
|
|
|
} else {
|
|
|
|
|
if (local_tty)
|
|
|
|
|
from_tty(buf, ret);
|
|
|
|
|
else
|
|
|
|
|
backend_send(backend, buf, ret);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pollwrap_check_fd_rwx(pw, STDOUT_FILENO, SELECT_W)) {
|
|
|
|
|
backend_unthrottle(backend, try_output(false));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pollwrap_check_fd_rwx(pw, STDERR_FILENO, SELECT_W)) {
|
|
|
|
|
backend_unthrottle(backend, try_output(true));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool plink_continue(void *vctx, bool found_any_fd,
|
|
|
|
|
bool ran_any_callback)
|
|
|
|
|
{
|
|
|
|
|
if (!backend_connected(backend) &&
|
|
|
|
|
bufchain_size(&stdout_data) == 0 && bufchain_size(&stderr_data) == 0)
|
|
|
|
|
return false; /* terminate main loop */
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2002-10-31 19:49:52 +00:00
|
|
|
int main(int argc, char **argv)
|
|
|
|
|
{
|
|
|
|
|
int exitcode;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool errors;
|
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.
The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)
For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.
So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.
This all applies the same way to both Unix and Windows Plink.
2019-02-20 07:03:57 +00:00
|
|
|
enum TriState sanitise_stdout = AUTO, sanitise_stderr = AUTO;
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
bool use_subsystem = false;
|
|
|
|
|
bool just_test_share_exists = false;
|
2012-08-25 22:57:39 +00:00
|
|
|
struct winsize size;
|
2018-10-05 06:03:46 +00:00
|
|
|
const struct BackendVtable *backvt;
|
2002-10-31 19:49:52 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialise port and protocol to sensible defaults. (These
|
|
|
|
|
* will be overridden by more or less anything.)
|
|
|
|
|
*/
|
2020-02-02 10:00:42 +00:00
|
|
|
settings_set_default_protocol(PROT_SSH);
|
|
|
|
|
settings_set_default_port(22);
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2011-09-13 11:44:03 +00:00
|
|
|
bufchain_init(&stdout_data);
|
|
|
|
|
bufchain_init(&stderr_data);
|
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.
The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)
For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.
So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.
This all applies the same way to both Unix and Windows Plink.
2019-02-20 07:03:57 +00:00
|
|
|
bufchain_sink_init(&stdout_bcs, &stdout_data);
|
|
|
|
|
bufchain_sink_init(&stderr_bcs, &stderr_data);
|
|
|
|
|
stdout_bs = BinarySink_UPCAST(&stdout_bcs);
|
|
|
|
|
stderr_bs = BinarySink_UPCAST(&stderr_bcs);
|
2011-09-13 11:44:03 +00:00
|
|
|
outgoingeof = EOF_NO;
|
|
|
|
|
|
2007-09-29 12:27:45 +00:00
|
|
|
stderr_tty_init();
|
2002-10-31 19:49:52 +00:00
|
|
|
/*
|
|
|
|
|
* Process the command line.
|
|
|
|
|
*/
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
conf = conf_new();
|
|
|
|
|
do_defaults(NULL, conf);
|
2020-02-02 10:00:42 +00:00
|
|
|
settings_set_default_protocol(conf_get_int(conf, CONF_protocol));
|
|
|
|
|
settings_set_default_port(conf_get_int(conf, CONF_port));
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
errors = false;
|
2002-10-31 19:49:52 +00:00
|
|
|
{
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
|
|
|
|
* Override the default protocol if PLINK_PROTOCOL is set.
|
|
|
|
|
*/
|
|
|
|
|
char *p = getenv("PLINK_PROTOCOL");
|
|
|
|
|
if (p) {
|
2018-10-05 06:03:46 +00:00
|
|
|
const struct BackendVtable *vt = backend_vt_from_name(p);
|
2018-09-11 15:23:38 +00:00
|
|
|
if (vt) {
|
2020-02-02 10:00:42 +00:00
|
|
|
settings_set_default_protocol(vt->protocol);
|
|
|
|
|
settings_set_default_port(vt->default_port);
|
|
|
|
|
conf_set_int(conf, CONF_protocol, vt->protocol);
|
|
|
|
|
conf_set_int(conf, CONF_port, vt->default_port);
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
while (--argc) {
|
2019-09-08 19:29:00 +00:00
|
|
|
char *p = *++argv;
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
int ret = cmdline_process_param(p, (argc > 1 ? argv[1] : NULL),
|
|
|
|
|
1, conf);
|
|
|
|
|
if (ret == -2) {
|
|
|
|
|
fprintf(stderr,
|
|
|
|
|
"plink: option \"%s\" requires an argument\n", p);
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
errors = true;
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
} else if (ret == 2) {
|
|
|
|
|
--argc, ++argv;
|
|
|
|
|
} else if (ret == 1) {
|
|
|
|
|
continue;
|
|
|
|
|
} else if (!strcmp(p, "-batch")) {
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
console_batch_mode = true;
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
} else if (!strcmp(p, "-s")) {
|
|
|
|
|
/* Save status to write to conf later. */
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
use_subsystem = true;
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
} else if (!strcmp(p, "-V") || !strcmp(p, "--version")) {
|
|
|
|
|
version();
|
|
|
|
|
} else if (!strcmp(p, "--help")) {
|
|
|
|
|
usage();
|
|
|
|
|
exit(0);
|
|
|
|
|
} else if (!strcmp(p, "-pgpfp")) {
|
|
|
|
|
pgp_fingerprints();
|
|
|
|
|
exit(1);
|
|
|
|
|
} else if (!strcmp(p, "-o")) {
|
|
|
|
|
if (argc <= 1) {
|
|
|
|
|
fprintf(stderr,
|
|
|
|
|
"plink: option \"-o\" requires an argument\n");
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
errors = true;
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
} else {
|
|
|
|
|
--argc;
|
2019-04-13 18:12:53 +00:00
|
|
|
/* Explicitly pass "plink" in place of appname for
|
|
|
|
|
* error reporting purposes. appname will have been
|
|
|
|
|
* set by be_foo.c to something more generic, probably
|
|
|
|
|
* "PuTTY". */
|
|
|
|
|
provide_xrm_string(*++argv, "plink");
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
}
|
|
|
|
|
} else if (!strcmp(p, "-shareexists")) {
|
2018-10-29 19:50:29 +00:00
|
|
|
just_test_share_exists = true;
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
} else if (!strcmp(p, "-fuzznet")) {
|
|
|
|
|
conf_set_int(conf, CONF_proxy_type, PROXY_FUZZ);
|
|
|
|
|
conf_set_str(conf, CONF_proxy_telnet_command, "%host");
|
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.
The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)
For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.
So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.
This all applies the same way to both Unix and Windows Plink.
2019-02-20 07:03:57 +00:00
|
|
|
} else if (!strcmp(p, "-sanitise-stdout") ||
|
|
|
|
|
!strcmp(p, "-sanitize-stdout")) {
|
|
|
|
|
sanitise_stdout = FORCE_ON;
|
|
|
|
|
} else if (!strcmp(p, "-no-sanitise-stdout") ||
|
|
|
|
|
!strcmp(p, "-no-sanitize-stdout")) {
|
|
|
|
|
sanitise_stdout = FORCE_OFF;
|
|
|
|
|
} else if (!strcmp(p, "-sanitise-stderr") ||
|
|
|
|
|
!strcmp(p, "-sanitize-stderr")) {
|
|
|
|
|
sanitise_stderr = FORCE_ON;
|
|
|
|
|
} else if (!strcmp(p, "-no-sanitise-stderr") ||
|
|
|
|
|
!strcmp(p, "-no-sanitize-stderr")) {
|
|
|
|
|
sanitise_stderr = FORCE_OFF;
|
2019-03-10 14:42:33 +00:00
|
|
|
} else if (!strcmp(p, "-no-antispoof")) {
|
|
|
|
|
console_antispoof_prompt = false;
|
2019-09-08 19:29:00 +00:00
|
|
|
} else if (*p != '-') {
|
2019-02-11 06:58:07 +00:00
|
|
|
strbuf *cmdbuf = strbuf_new();
|
|
|
|
|
|
|
|
|
|
while (argc > 0) {
|
|
|
|
|
if (cmdbuf->len > 0)
|
|
|
|
|
put_byte(cmdbuf, ' '); /* add space separator */
|
|
|
|
|
put_datapl(cmdbuf, ptrlen_from_asciz(p));
|
|
|
|
|
if (--argc > 0)
|
|
|
|
|
p = *++argv;
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
}
|
2019-02-11 06:58:07 +00:00
|
|
|
|
|
|
|
|
conf_set_str(conf, CONF_remote_cmd, cmdbuf->s);
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
conf_set_str(conf, CONF_remote_cmd2, "");
|
2018-10-29 19:57:31 +00:00
|
|
|
conf_set_bool(conf, CONF_nopty, true); /* command => no tty */
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
|
2019-02-11 06:58:07 +00:00
|
|
|
strbuf_free(cmdbuf);
|
2019-09-08 19:29:00 +00:00
|
|
|
break; /* done with cmdline */
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
} else {
|
|
|
|
|
fprintf(stderr, "plink: unknown option \"%s\"\n", p);
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
errors = true;
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
2002-11-20 20:09:02 +00:00
|
|
|
if (errors)
|
2019-09-08 19:29:00 +00:00
|
|
|
return 1;
|
2002-11-20 20:09:02 +00:00
|
|
|
|
Centralise PuTTY and Plink's non-option argument handling.
This is another piece of long-overdue refactoring similar to the
recent commit e3796cb77. But where that one dealt with normalisation
of stuff already stored _in_ a Conf by whatever means (including, in
particular, handling a user typing 'username@host.name' into the
Hostname box of the GUI session dialog box), this one deals with
handling argv entries and putting them into the Conf.
This isn't exactly a pure no-functional-change-at-all refactoring. On
the other hand, it isn't a full-on cleanup that completely
rationalises all the user-visible behaviour as well as the code
structure. It's somewhere in between: I've preserved all the behaviour
quirks that I could imagine a reason for having intended, but taken
the opportunity to _not_ faithfully replicate anything I thought was
clearly just a bug.
So, for example, the following inconsistency is carefully preserved:
the command 'plink -load session nextword' treats 'nextword' as a host
name if the loaded session hasn't provided a hostname already, and
otherwise treats 'nextword' as the remote command to execute on the
already-specified remote host, but the same combination of arguments
to GUI PuTTY will _always_ treat 'nextword' as a hostname, overriding
a hostname (if any) in the saved session. That makes some sense to me
because of the different shapes of the overall command lines.
On the other hand, there are two behaviour changes I know of as a
result of this commit: a third argument to GUI PuTTY (after a hostname
and port) now provokes an error message instead of being silently
ignored, and in Plink, if you combine a -P option (specifying a port
number) with the historical comma-separated protocol selection prefix
on the hostname argument (which I'd completely forgotten even existed
until this piece of work), then the -P will now override the selected
protocol's default port number, whereas previously the default port
would win. For example, 'plink -P 12345 telnet,hostname' will now
connect via Telnet to port 12345 instead of to port 23.
There may be scope for removing or rethinking some of the command-
line syntax quirks in the wake of this change. If we do decide to do
anything like that, then hopefully having it all in one place will
make it easier to remove or change things consistently across the
tools.
2017-12-07 19:59:43 +00:00
|
|
|
if (!cmdline_host_ok(conf)) {
|
2019-09-08 19:29:00 +00:00
|
|
|
usage();
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
2017-12-03 14:35:03 +00:00
|
|
|
prepare_session(conf);
|
2002-10-31 19:49:52 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Perform command-line overrides on session configuration.
|
|
|
|
|
*/
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
cmdline_run_saved(conf);
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2015-01-05 23:41:43 +00:00
|
|
|
/*
|
|
|
|
|
* If we have no better ideas for the remote username, use the local
|
|
|
|
|
* one, as 'ssh' does.
|
|
|
|
|
*/
|
|
|
|
|
if (conf_get_str(conf, CONF_username)[0] == '\0') {
|
2019-09-08 19:29:00 +00:00
|
|
|
char *user = get_username();
|
|
|
|
|
if (user) {
|
|
|
|
|
conf_set_str(conf, CONF_username, user);
|
|
|
|
|
sfree(user);
|
|
|
|
|
}
|
2015-01-05 23:41:43 +00:00
|
|
|
}
|
|
|
|
|
|
2003-08-29 19:21:49 +00:00
|
|
|
/*
|
|
|
|
|
* Apply subsystem status.
|
|
|
|
|
*/
|
|
|
|
|
if (use_subsystem)
|
2018-10-29 19:57:31 +00:00
|
|
|
conf_set_bool(conf, CONF_ssh_subsys, true);
|
2002-10-31 19:49:52 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Select protocol. This is farmed out into a table in a
|
|
|
|
|
* separate file to enable an ssh-free variant.
|
|
|
|
|
*/
|
2018-09-11 15:23:38 +00:00
|
|
|
backvt = backend_vt_from_proto(conf_get_int(conf, CONF_protocol));
|
|
|
|
|
if (!backvt) {
|
2019-09-08 19:29:00 +00:00
|
|
|
fprintf(stderr,
|
|
|
|
|
"Internal fault: Unsupported protocol found\n");
|
|
|
|
|
return 1;
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
2020-02-18 14:16:26 +00:00
|
|
|
if (backvt->flags & BACKEND_NEEDS_TERMINAL) {
|
|
|
|
|
fprintf(stderr,
|
2021-02-21 16:05:12 +00:00
|
|
|
"Plink doesn't support %s, which needs terminal emulation\n",
|
|
|
|
|
backvt->displayname);
|
2020-02-18 14:16:26 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-08 19:15:52 +00:00
|
|
|
/*
|
|
|
|
|
* Block SIGPIPE, so that we'll get EPIPE individually on
|
|
|
|
|
* particular network connections that go wrong.
|
|
|
|
|
*/
|
|
|
|
|
putty_signal(SIGPIPE, SIG_IGN);
|
|
|
|
|
|
2003-01-09 18:28:01 +00:00
|
|
|
/*
|
|
|
|
|
* Set up the pipe we'll use to tell us about SIGWINCH.
|
|
|
|
|
*/
|
|
|
|
|
if (pipe(signalpipe) < 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
perror("pipe");
|
|
|
|
|
exit(1);
|
2003-01-09 18:28:01 +00:00
|
|
|
}
|
2016-05-01 15:46:40 +00:00
|
|
|
/* We don't want the signal handler to block if the pipe's full. */
|
|
|
|
|
nonblock(signalpipe[0]);
|
|
|
|
|
nonblock(signalpipe[1]);
|
2016-05-01 15:55:07 +00:00
|
|
|
cloexec(signalpipe[0]);
|
|
|
|
|
cloexec(signalpipe[1]);
|
2003-01-09 18:28:01 +00:00
|
|
|
putty_signal(SIGWINCH, sigwinch);
|
|
|
|
|
|
2012-08-25 22:57:39 +00:00
|
|
|
/*
|
|
|
|
|
* Now that we've got the SIGWINCH handler installed, try to find
|
|
|
|
|
* out the initial terminal size.
|
|
|
|
|
*/
|
|
|
|
|
if (ioctl(STDIN_FILENO, TIOCGWINSZ, &size) >= 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
conf_set_int(conf, CONF_width, size.ws_col);
|
|
|
|
|
conf_set_int(conf, CONF_height, size.ws_row);
|
2012-08-25 22:57:39 +00:00
|
|
|
}
|
|
|
|
|
|
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.
The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)
For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.
So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.
This all applies the same way to both Unix and Windows Plink.
2019-02-20 07:03:57 +00:00
|
|
|
/*
|
|
|
|
|
* Decide whether to sanitise control sequences out of standard
|
|
|
|
|
* output and standard error.
|
|
|
|
|
*
|
|
|
|
|
* If we weren't given a command-line override, we do this if (a)
|
|
|
|
|
* the fd in question is pointing at a terminal, and (b) we aren't
|
|
|
|
|
* trying to allocate a terminal as part of the session.
|
|
|
|
|
*
|
|
|
|
|
* (Rationale: the risk of control sequences is that they cause
|
|
|
|
|
* confusion when sent to a local terminal, so if there isn't one,
|
|
|
|
|
* no problem. Also, if we allocate a remote terminal, then we
|
|
|
|
|
* sent a terminal type, i.e. we told it what kind of escape
|
|
|
|
|
* sequences we _like_, i.e. we were expecting to receive some.)
|
|
|
|
|
*/
|
|
|
|
|
if (sanitise_stdout == FORCE_ON ||
|
|
|
|
|
(sanitise_stdout == AUTO && isatty(STDOUT_FILENO) &&
|
|
|
|
|
conf_get_bool(conf, CONF_nopty))) {
|
|
|
|
|
stdout_scc = stripctrl_new(stdout_bs, true, L'\0');
|
|
|
|
|
stdout_bs = BinarySink_UPCAST(stdout_scc);
|
|
|
|
|
}
|
|
|
|
|
if (sanitise_stderr == FORCE_ON ||
|
|
|
|
|
(sanitise_stderr == AUTO && isatty(STDERR_FILENO) &&
|
|
|
|
|
conf_get_bool(conf, CONF_nopty))) {
|
|
|
|
|
stderr_scc = stripctrl_new(stderr_bs, true, L'\0');
|
|
|
|
|
stderr_bs = BinarySink_UPCAST(stderr_scc);
|
|
|
|
|
}
|
|
|
|
|
|
2002-10-31 19:49:52 +00:00
|
|
|
sk_init();
|
2003-03-29 16:47:06 +00:00
|
|
|
uxsel_init();
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2007-09-30 14:14:29 +00:00
|
|
|
/*
|
2016-04-15 21:58:26 +00:00
|
|
|
* Plink doesn't provide any way to add forwardings after the
|
2007-09-30 14:14:29 +00:00
|
|
|
* connection is set up, so if there are none now, we can safely set
|
|
|
|
|
* the "simple" flag.
|
|
|
|
|
*/
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
if (conf_get_int(conf, CONF_protocol) == PROT_SSH &&
|
2019-09-08 19:29:00 +00:00
|
|
|
!conf_get_bool(conf, CONF_x11_forward) &&
|
|
|
|
|
!conf_get_bool(conf, CONF_agentfwd) &&
|
|
|
|
|
!conf_get_str_nthstrkey(conf, CONF_portfwd, 0))
|
|
|
|
|
conf_set_bool(conf, CONF_ssh_simple, true);
|
Post-release destabilisation! Completely remove the struct type
'Config' in putty.h, which stores all PuTTY's settings and includes an
arbitrary length limit on every single one of those settings which is
stored in string form. In place of it is 'Conf', an opaque data type
everywhere outside the new file conf.c, which stores a list of (key,
value) pairs in which every key contains an integer identifying a
configuration setting, and for some of those integers the key also
contains extra parts (so that, for instance, CONF_environmt is a
string-to-string mapping). Everywhere that a Config was previously
used, a Conf is now; everywhere there was a Config structure copy,
conf_copy() is called; every lookup, adjustment, load and save
operation on a Config has been rewritten; and there's a mechanism for
serialising a Conf into a binary blob and back for use with Duplicate
Session.
User-visible effects of this change _should_ be minimal, though I
don't doubt I've introduced one or two bugs here and there which will
eventually be found. The _intended_ visible effects of this change are
that all arbitrary limits on configuration strings and lists (e.g.
limit on number of port forwardings) should now disappear; that list
boxes in the configuration will now be displayed in a sorted order
rather than the arbitrary order in which they were added to the list
(since the underlying data structure is now a sorted tree234 rather
than an ad-hoc comma-separated string); and one more specific change,
which is that local and dynamic port forwardings on the same port
number are now mutually exclusive in the configuration (putting 'D' in
the key rather than the value was a mistake in the first place).
One other reorganisation as a result of this is that I've moved all
the dialog.c standard handlers (dlg_stdeditbox_handler and friends)
out into config.c, because I can't really justify calling them generic
any more. When they took a pointer to an arbitrary structure type and
the offset of a field within that structure, they were independent of
whether that structure was a Config or something completely different,
but now they really do expect to talk to a Conf, which can _only_ be
used for PuTTY configuration, so I've renamed them all things like
conf_editbox_handler and moved them out of the nominally independent
dialog-box management module into the PuTTY-specific config.c.
[originally from svn r9214]
2011-07-14 18:52:21 +00:00
|
|
|
|
2015-09-25 10:46:28 +00:00
|
|
|
if (just_test_share_exists) {
|
2018-09-11 15:23:38 +00:00
|
|
|
if (!backvt->test_for_upstream) {
|
2020-02-16 11:34:40 +00:00
|
|
|
fprintf(stderr, "Connection sharing not supported for this "
|
|
|
|
|
"connection type (%s)'\n", backvt->displayname);
|
2015-09-25 10:46:28 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
2018-09-11 15:23:38 +00:00
|
|
|
if (backvt->test_for_upstream(conf_get_str(conf, CONF_host),
|
|
|
|
|
conf_get_int(conf, CONF_port), conf))
|
2015-09-25 10:46:28 +00:00
|
|
|
return 0;
|
|
|
|
|
else
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2002-10-31 19:49:52 +00:00
|
|
|
/*
|
|
|
|
|
* Start up the connection.
|
|
|
|
|
*/
|
Remove FLAG_VERBOSE.
The global 'int flags' has always been an ugly feature of this code
base, and I suddenly thought that perhaps it's time to start throwing
it out, one flag at a time, until it's totally unused.
My first target is FLAG_VERBOSE. This was usually set by cmdline.c
when it saw a -v option on the program's command line, except that GUI
PuTTY itself sets it unconditionally on startup. And then various bits
of the code would check it in order to decide whether to print a given
message.
In the current system of front-end abstraction traits, there's no
_one_ place that I can move it to. But there are two: every place that
checked FLAG_VERBOSE has access to either a Seat or a LogPolicy. So
now each of those traits has a query method for 'do I want verbose
messages?'.
A good effect of this is that subsidiary Seats, like the ones used in
Uppity for the main SSH server module itself and the server end of
shell channels, now get to have their own verbosity setting instead of
inheriting the one global one. In fact I don't expect any code using
those Seats to be generating any messages at all, but if that changes
later, we'll have a way to control it. (Who knows, perhaps logging in
Uppity might become a thing.)
As part of this cleanup, I've added a new flag to cmdline_tooltype,
called TOOLTYPE_NO_VERBOSE_OPTION. The unconditionally-verbose tools
now set that, and it has the effect of making cmdline.c disallow -v
completely. So where 'putty -v' would previously have been silently
ignored ("I was already verbose"), it's now an error, reminding you
that that option doesn't actually do anything.
Finally, the 'default_logpolicy' provided by uxcons.c and wincons.c
(with identical definitions) has had to move into a new file of its
own, because now it has to ask cmdline.c for the verbosity setting as
well as asking console.c for the rest of its methods. So there's a new
file clicons.c which can only be included by programs that link
against both cmdline.c _and_ one of the *cons.c, and I've renamed the
logpolicy to reflect that.
2020-01-30 06:40:21 +00:00
|
|
|
logctx = log_init(console_cli_logpolicy, conf);
|
2002-10-31 19:49:52 +00:00
|
|
|
{
|
2020-04-18 12:28:33 +00:00
|
|
|
char *error, *realhost;
|
2019-09-08 19:29:00 +00:00
|
|
|
/* nodelay is only useful if stdin is a terminal device */
|
|
|
|
|
bool nodelay = conf_get_bool(conf, CONF_tcp_nodelay) && isatty(0);
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/* This is a good place for a fuzzer to fork us. */
|
2015-10-17 11:25:36 +00:00
|
|
|
#ifdef __AFL_HAVE_MANUAL_CONTROL
|
2019-09-08 19:29:00 +00:00
|
|
|
__AFL_INIT();
|
2015-10-17 11:25:36 +00:00
|
|
|
#endif
|
|
|
|
|
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
error = backend_init(backvt, plink_seat, &backend, logctx, conf,
|
2018-09-11 15:23:38 +00:00
|
|
|
conf_get_str(conf, CONF_host),
|
|
|
|
|
conf_get_int(conf, CONF_port),
|
|
|
|
|
&realhost, nodelay,
|
2018-10-29 19:57:31 +00:00
|
|
|
conf_get_bool(conf, CONF_tcp_keepalives));
|
2019-09-08 19:29:00 +00:00
|
|
|
if (error) {
|
|
|
|
|
fprintf(stderr, "Unable to open connection:\n%s\n", error);
|
2020-04-18 12:28:33 +00:00
|
|
|
sfree(error);
|
2019-09-08 19:29:00 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
ldisc_create(conf, NULL, backend, plink_seat);
|
2019-09-08 19:29:00 +00:00
|
|
|
sfree(realhost);
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set up the initial console mode. We don't care if this call
|
|
|
|
|
* fails, because we know we aren't necessarily running in a
|
|
|
|
|
* console.
|
|
|
|
|
*/
|
2007-09-24 21:31:45 +00:00
|
|
|
local_tty = (tcgetattr(STDIN_FILENO, &orig_termios) == 0);
|
2002-10-31 19:49:52 +00:00
|
|
|
atexit(cleanup_termios);
|
New abstraction 'Seat', to pass to backends.
This is a new vtable-based abstraction which is passed to a backend in
place of Frontend, and it implements only the subset of the Frontend
functions needed by a backend. (Many other Frontend functions still
exist, notably the wide range of things called by terminal.c providing
platform-independent operations on the GUI terminal window.)
The purpose of making it a vtable is that this opens up the
possibility of creating a backend as an internal implementation detail
of some other activity, by providing just that one backend with a
custom Seat that implements the methods differently.
For example, this refactoring should make it feasible to directly
implement an SSH proxy type, aka the 'jump host' feature supported by
OpenSSH, aka 'open a secondary SSH session in MAINCHAN_DIRECT_TCP
mode, and then expose the main channel of that as the Socket for the
primary connection'. (Which of course you can already do by spawning
'plink -nc' as a separate proxy process, but this would permit it in
the _same_ process without anything getting confused.)
I've centralised a full set of stub methods in misc.c for the new
abstraction, which allows me to get rid of several annoying stubs in
the previous code. Also, while I'm here, I've moved a lot of
duplicated modalfatalbox() type functions from application main
program files into wincons.c / uxcons.c, which I think saves
duplication overall. (A minor visible effect is that the prefixes on
those console-based fatal error messages will now be more consistent
between applications.)
2018-10-11 18:58:42 +00:00
|
|
|
seat_echoedit_update(plink_seat, 1, 1);
|
2002-10-31 19:49:52 +00:00
|
|
|
|
2020-02-07 19:14:32 +00:00
|
|
|
cli_main_loop(plink_pw_setup, plink_pw_check, plink_continue, NULL);
|
2003-01-09 18:28:01 +00:00
|
|
|
|
2018-09-11 15:23:38 +00:00
|
|
|
exitcode = backend_exitcode(backend);
|
2002-10-31 19:49:52 +00:00
|
|
|
if (exitcode < 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
fprintf(stderr, "Remote process exit code unavailable\n");
|
|
|
|
|
exitcode = 1; /* this is an error condition */
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|
2002-11-02 15:23:20 +00:00
|
|
|
cleanup_exit(exitcode);
|
2019-09-08 19:29:00 +00:00
|
|
|
return exitcode; /* shouldn't happen, but placates gcc */
|
2002-10-31 19:49:52 +00:00
|
|
|
}
|