nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-01 11:32:48 -05:00
Code Issues Projects Releases Wiki Activity

File transfer tools: sanitise remote filenames and stderr.

Browse Source 
This commit adds sanitisation to PSCP and PSFTP in the same style as
I've just put it into Plink. This time, standard error is sanitised
without reference to whether it's redirected (at least unless you give
an override option), on the basis that where Plink is _sometimes_ an
SSH transport for some other protocol, PSCP and PSFTP _always_ are.

But also, the sanitiser is run over any remote filename sent by the
server, substituting ? for any control characters it finds. That
removes another avenue for the server to deliberately confuse the
display.

This commit fixes our bug 'pscp-unsanitised-server-output', aka the
two notional 'vulnerabilities' CVE-2019-6109 and CVE-2019-6110.
(Although we regard those in isolation as only bugs, not serious
vulnerabilities, because their main threat was in hiding the evidence
of a server having exploited other more serious vulns that we never
had.)
This commit is contained in:
Simon Tatham
2019-02-20 07:09:10 +00:00
parent 91cf47dd0d
commit 2675f9578d
5 changed files with 186 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
doc/pscp.but
View File

@ -63,6 +63,7 @@ use PSCP:
\c -hostkey aa:bb:cc:...
\c manually specify a host key (may be repeated)
\c -batch disable all interactive prompts
\c -no-sanitise-stderr don't strip control chars from standard error
\c -proxycmd command
\c use 'command' as local proxy
\c -unsafe allow server-side wildcards (DANGEROUS)
@ -281,6 +282,15 @@ The \c{-sftp} option forces PSCP to use the SFTP protocol or quit.
When this option is specified, PSCP looks harder for an SFTP server,
which may allow use of SFTP with SSH-1 depending on server setup.
\S2{pscp-option-sanitise} \I{-sanitise-stderr}\I{-no-sanitise-stderr}\c{-no-sanitise-stderr}: control error message sanitisation
The \c{-no-sanitise-stderr} option will cause PSCP to pass through the
server's standard-error stream literally, without stripping control
characters from it first. This might be useful if the server were
sending coloured error messages, but it also gives the server the
ability to have unexpected effects on your terminal display. For more
discussion, see \k{plink-option-sanitise}.
\S{pscp-retval} \ii{Return value}
PSCP returns an \i\cw{ERRORLEVEL} of zero (success) only if the files

9
doc/psftp.but
View File

@ -135,6 +135,15 @@ This may help PSFTP's behaviour when it is used in automated
scripts: using \c{-batch}, if something goes wrong at connection
time, the batch job will fail rather than hang.
\S2{psftp-option-sanitise} \I{-sanitise-stderr}\I{-no-sanitise-stderr}\c{-no-sanitise-stderr}: control error message sanitisation
The \c{-no-sanitise-stderr} option will cause PSFTP to pass through the
server's standard-error stream literally, without stripping control
characters from it first. This might be useful if the server were
sending coloured error messages, but it also gives the server the
ability to have unexpected effects on your terminal display. For more
discussion, see \k{plink-option-sanitise}.
\H{psftp-commands} Running PSFTP
Once you have started your PSFTP session, you will see a \c{psftp>}