From 448c1a085a19c3eb87876e15034581bd5217fd85 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Mon, 27 Aug 2001 15:02:52 +0000 Subject: [PATCH] Finally tighten up the server-side wildcard security hole, the _right_ way. (SSWs are disabled by default and can be re-enabled using `-unsafe', meaning that pscp will _never_ do anything unexpected to your local file system unless you explicitly give consent. The sftp-based variant will work fine because the corresponding mechanism is _not_ unsafe.) [originally from svn r1212] --- scp.c | 43 ++++++++++++++++++++++++++----------------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/scp.c b/scp.c index 7ab31207..8b71390e 100644 --- a/scp.c +++ b/scp.c @@ -57,6 +57,7 @@ static int targetshouldbedirectory = 0; static int statistics = 1; static int portnumber = 0; static int prev_stats_len = 0; +static int scp_unsafe_mode = 0; static char *password = NULL; static int errs = 0; /* GUI Adaptation - Sept 2000 */ @@ -1173,7 +1174,6 @@ int scp_get_sink_action(struct scp_sink_action *act) * Simple case: we are only dealing with one file. */ fname = scp_sftp_remotepath; -printf("oi :%s:\n", fname); must_free_fname = 0; scp_sftp_donethistarget = 1; } else { @@ -1196,12 +1196,10 @@ printf("oi :%s:\n", fname); !wc_match(head->wildcard, head->names[head->namepos].filename)))) head->namepos++; /* skip . and .. */ -printf("ooh\n"); if (head->namepos < head->namelen) { fname = dupcat(head->dirpath, "/", head->names[head->namepos++].filename, NULL); -printf("got :%s:\n", fname); must_free_fname = 1; } else { /* @@ -1224,7 +1222,7 @@ printf("got :%s:\n", fname); return 0; } } -printf("filename :%s:\n", fname); + /* * Now we have a filename. Stat it, and see if it's a file * or a directory. @@ -1739,16 +1737,18 @@ static void sink(char *targ, char *src) * and the last component of that will fail to match * (the last component of) the name sent. * - * (Well, not always; if `src' is a wildcard, we do + * Well, not always; if `src' is a wildcard, we do * expect to get back filenames that don't correspond - * exactly to it. So we skip this check if `src' - * contains a *, a ? or a []. This is non-ideal - we - * would like to ensure that the returned filename - * actually matches the wildcard pattern - but one of - * SCP's protocol infelicities is that wildcard - * matching is done at the server end _by the server's - * rules_ and so in general this is infeasible. Live - * with it, or upgrade to SFTP.) + * exactly to it. Ideally in this case, we would like + * to ensure that the returned filename actually + * matches the wildcard pattern - but one of SCP's + * protocol infelicities is that wildcard matching is + * done at the server end _by the server's rules_ and + * so in general this is infeasible. Hence, we only + * accept filenames that don't correspond to `src' if + * unsafe mode is enabled or we are using SFTP (which + * resolves remote wildcards on the client side and can + * be trusted). */ char *striptarget, *stripsrc; @@ -1770,10 +1770,16 @@ static void sink(char *targ, char *src) if (src) { stripsrc = stripslashes(src, 1); - if (!stripsrc[strcspn(stripsrc, "*?[]")] && - strcmp(striptarget, stripsrc)) { - tell_user(stderr, "warning: remote host attempted to" - " write to a different filename: disallowing"); + if (strcmp(striptarget, stripsrc) && + !using_sftp && !scp_unsafe_mode) { + tell_user(stderr, "warning: remote host tried to write " + "to a file called '%s'", striptarget); + tell_user(stderr, " when we requested a file " + "called '%s'.", stripsrc); + tell_user(stderr, " If this is a wildcard, " + "consider upgrading to SSH 2 or using"); + tell_user(stderr, " the '-unsafe' option. Renaming" + " of this file has been disallowed."); /* Override the name the server provided with our own. */ striptarget = stripsrc; } @@ -2144,6 +2150,7 @@ static void usage(void) printf(" -v show verbose messages\n"); printf(" -P port connect to specified port\n"); printf(" -pw passw login with specified password\n"); + printf(" -unsafe allow server-side wildcards (DANGEROUS)\n"); #if 0 /* * -gui is an internal option, used by GUI front ends to get @@ -2194,6 +2201,8 @@ int main(int argc, char *argv[]) gui_mode = 1; } else if (strcmp(argv[i], "-ls") == 0) list = 1; + else if (strcmp(argv[i], "-unsafe") == 0) + scp_unsafe_mode = 1; else if (strcmp(argv[i], "--") == 0) { i++; break;