nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-02-03 21:52:24 +00:00
Code Issues Projects Releases Wiki Activity

Finally tighten up the server-side wildcard security hole, the

Browse Source 
_right_ way. (SSWs are disabled by default and can be re-enabled
using `-unsafe', meaning that pscp will _never_ do anything
unexpected to your local file system unless you explicitly give
consent. The sftp-based variant will work fine because the
corresponding mechanism is _not_ unsafe.)

[originally from svn r1212]
This commit is contained in:
Simon Tatham 2001-08-27 15:02:52 +00:00
parent a8e0abbf28
commit 448c1a085a
1 changed files with 26 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
scp.c
View File

@ -57,6 +57,7 @@ static int targetshouldbedirectory = 0;
static int statistics = 1; static int statistics = 1;
static int portnumber = 0; static int portnumber = 0;
static int prev_stats_len = 0; static int prev_stats_len = 0;
static int scp_unsafe_mode = 0;
static char *password = NULL; static char *password = NULL;
static int errs = 0; static int errs = 0;
/* GUI Adaptation - Sept 2000 */ /* GUI Adaptation - Sept 2000 */
@ -1173,7 +1174,6 @@ int scp_get_sink_action(struct scp_sink_action *act)
* Simple case: we are only dealing with one file. * Simple case: we are only dealing with one file.
*/ */
fname = scp_sftp_remotepath; fname = scp_sftp_remotepath;
printf("oi :%s:\n", fname);
must_free_fname = 0; must_free_fname = 0;
scp_sftp_donethistarget = 1; scp_sftp_donethistarget = 1;
} else { } else {
@ -1196,12 +1196,10 @@ printf("oi :%s:\n", fname);
!wc_match(head->wildcard, !wc_match(head->wildcard,
head->names[head->namepos].filename)))) head->names[head->namepos].filename))))
head->namepos++; /* skip . and .. */ head->namepos++; /* skip . and .. */
printf("ooh\n");
if (head->namepos < head->namelen) { if (head->namepos < head->namelen) {
fname = dupcat(head->dirpath, "/", fname = dupcat(head->dirpath, "/",
head->names[head->namepos++].filename, head->names[head->namepos++].filename,
NULL); NULL);
printf("got :%s:\n", fname);
must_free_fname = 1; must_free_fname = 1;
} else { } else {
/* /*
@ -1224,7 +1222,7 @@ printf("got :%s:\n", fname);
return 0; return 0;
} }
} }
printf("filename :%s:\n", fname);
/* /*
* Now we have a filename. Stat it, and see if it's a file * Now we have a filename. Stat it, and see if it's a file
* or a directory. * or a directory.
@ -1739,16 +1737,18 @@ static void sink(char *targ, char *src)
* and the last component of that will fail to match * and the last component of that will fail to match
* (the last component of) the name sent. * (the last component of) the name sent.
* *
* (Well, not always; if `src' is a wildcard, we do * Well, not always; if `src' is a wildcard, we do
* expect to get back filenames that don't correspond * expect to get back filenames that don't correspond
* exactly to it. So we skip this check if `src' * exactly to it. Ideally in this case, we would like
* contains a *, a ? or a []. This is non-ideal - we * to ensure that the returned filename actually
* would like to ensure that the returned filename * matches the wildcard pattern - but one of SCP's
* actually matches the wildcard pattern - but one of * protocol infelicities is that wildcard matching is
* SCP's protocol infelicities is that wildcard * done at the server end _by the server's rules_ and
* matching is done at the server end _by the server's * so in general this is infeasible. Hence, we only
* rules_ and so in general this is infeasible. Live * accept filenames that don't correspond to `src' if
* with it, or upgrade to SFTP.) * unsafe mode is enabled or we are using SFTP (which
* resolves remote wildcards on the client side and can
* be trusted).
*/ */
char *striptarget, *stripsrc; char *striptarget, *stripsrc;
@ -1770,10 +1770,16 @@ static void sink(char *targ, char *src)
if (src) { if (src) {
stripsrc = stripslashes(src, 1); stripsrc = stripslashes(src, 1);
if (!stripsrc[strcspn(stripsrc, "*?[]")] && if (strcmp(striptarget, stripsrc) &&
strcmp(striptarget, stripsrc)) { !using_sftp && !scp_unsafe_mode) {
tell_user(stderr, "warning: remote host attempted to" tell_user(stderr, "warning: remote host tried to write "
" write to a different filename: disallowing"); "to a file called '%s'", striptarget);
tell_user(stderr, " when we requested a file "
"called '%s'.", stripsrc);
tell_user(stderr, " If this is a wildcard, "
"consider upgrading to SSH 2 or using");
tell_user(stderr, " the '-unsafe' option. Renaming"
" of this file has been disallowed.");
/* Override the name the server provided with our own. */ /* Override the name the server provided with our own. */
striptarget = stripsrc; striptarget = stripsrc;
} }
@ -2144,6 +2150,7 @@ static void usage(void)
printf(" -v show verbose messages\n"); printf(" -v show verbose messages\n");
printf(" -P port connect to specified port\n"); printf(" -P port connect to specified port\n");
printf(" -pw passw login with specified password\n"); printf(" -pw passw login with specified password\n");
printf(" -unsafe allow server-side wildcards (DANGEROUS)\n");
#if 0 #if 0
/* /*
* -gui is an internal option, used by GUI front ends to get * -gui is an internal option, used by GUI front ends to get
@ -2194,6 +2201,8 @@ int main(int argc, char *argv[])
gui_mode = 1; gui_mode = 1;
} else if (strcmp(argv[i], "-ls") == 0) } else if (strcmp(argv[i], "-ls") == 0)
list = 1; list = 1;
else if (strcmp(argv[i], "-unsafe") == 0)
scp_unsafe_mode = 1;
else if (strcmp(argv[i], "--") == 0) { else if (strcmp(argv[i], "--") == 0) {
i++; i++;
break; break;