1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00

Rework handling of untrusted terminal data.

Now there's a centralised routine in misc.c to do the sanitisation,
which copies data on to an outgoing bufchain. This allows me to remove
from_backend_untrusted() completely from the frontend API, simplifying
code in several places.

Two use cases for untrusted-terminal-data sanitisation were in the
terminal.c prompts handler, and in the collection of SSH-2 userauth
banners. Both of those were writing output to a bufchain anyway, so
it was very convenient to just replace a bufchain_add with
sanitise_term_data and then not have to worry about it again.

There was also a simplistic sanitiser in uxcons.c, which I've now
replaced with a call to the good one - and in wincons.c there was a
FIXME saying I ought to get round to that, which now I have!
This commit is contained in:
Simon Tatham 2018-09-19 18:22:36 +01:00
parent af8e526a7d
commit 63a14f26f7
13 changed files with 64 additions and 85 deletions

27
misc.c
View File

@ -826,6 +826,33 @@ int bufchain_try_fetch_consume(bufchain *ch, void *data, int len)
}
}
/* ----------------------------------------------------------------------
* Sanitise terminal output that we have reason not to trust, e.g.
* because it appears in the login banner or password prompt from a
* server, which we'd rather not permit to use arbitrary escape
* sequences.
*/
void sanitise_term_data(bufchain *out, const void *vdata, int len)
{
const char *data = (const char *)vdata;
int i;
/*
* FIXME: this method of sanitisation is ASCII-centric. It would
* be nice to permit SSH banners and the like to contain printable
* Unicode, but that would need a lot more complicated code here
* (not to mention knowing what character set it should interpret
* the data as).
*/
for (i = 0; i < len; i++) {
if (data[i] == '\n')
bufchain_add(out, "\r\n", 2);
else if (data[i] >= ' ' && data[i] < 0x7F)
bufchain_add(out, data + i, 1);
}
}
/* ----------------------------------------------------------------------
* My own versions of malloc, realloc and free. Because I want
* malloc and realloc to bomb out and exit the program if they run

2
misc.h
View File

@ -90,6 +90,8 @@ void bufchain_fetch(bufchain *ch, void *data, int len);
void bufchain_fetch_consume(bufchain *ch, void *data, int len);
int bufchain_try_fetch_consume(bufchain *ch, void *data, int len);
void sanitise_term_data(bufchain *out, const void *vdata, int len);
int validate_manual_hostkey(char *key);
struct tm ltime(void);

9
pscp.c
View File

@ -196,15 +196,6 @@ int from_backend(Frontend *frontend, int is_stderr,
return 0;
}
int from_backend_untrusted(Frontend *frontend, const void *data, int len)
{
/*
* No "untrusted" output should get here (the way the code is
* currently, it's all diverted by FLAG_STDERR).
*/
assert(!"Unexpected call to from_backend_untrusted()");
return 0; /* not reached */
}
int from_backend_eof(Frontend *frontend)
{
/*

View File

@ -2551,15 +2551,6 @@ int from_backend(Frontend *frontend, int is_stderr,
return 0;
}
int from_backend_untrusted(Frontend *frontend, const void *data, int len)
{
/*
* No "untrusted" output should get here (the way the code is
* currently, it's all diverted by FLAG_STDERR).
*/
assert(!"Unexpected call to from_backend_untrusted()");
return 0; /* not reached */
}
int from_backend_eof(Frontend *frontend)
{
/*

View File

@ -712,7 +712,6 @@ void frontend_echoedit_update(Frontend *frontend, int echo, int edit);
* shutdown. */
void update_specials_menu(Frontend *frontend);
int from_backend(Frontend *frontend, int is_stderr, const void *data, int len);
int from_backend_untrusted(Frontend *frontend, const void *data, int len);
/* Called when the back end wants to indicate that EOF has arrived on
* the server-to-client stream. Returns FALSE to indicate that we
* intend to keep the session open in the other direction, or TRUE to
@ -1130,7 +1129,6 @@ void term_request_copy(Terminal *, const int *clipboards, int n_clipboards);
void term_request_paste(Terminal *, int clipboard);
void term_seen_key_event(Terminal *);
int term_data(Terminal *, int is_stderr, const void *data, int len);
int term_data_untrusted(Terminal *, const void *data, int len);
void term_provide_backend(Terminal *term, Backend *backend);
void term_provide_logctx(Terminal *term, LogContext *logctx);
void term_set_focus(Terminal *term, int has_focus);

16
ssh.c
View File

@ -1078,14 +1078,6 @@ static void c_write(Ssh ssh, const void *buf, int len)
from_backend(ssh->frontend, 1, buf, len);
}
static void c_write_untrusted(Ssh ssh, const void *buf, int len)
{
if (flags & FLAG_STDERR)
c_write_stderr(0, buf, len);
else
from_backend_untrusted(ssh->frontend, buf, len);
}
static void c_write_str(Ssh ssh, const char *buf)
{
c_write(ssh, buf, strlen(buf));
@ -7066,7 +7058,7 @@ static void ssh2_msg_userauth_banner(Ssh ssh, PktIn *pktin)
bufchain_size(&ssh->banner) <= 131072) {
ptrlen banner = get_string(pktin);
if (banner.len)
bufchain_add(&ssh->banner, banner.ptr, banner.len);
sanitise_term_data(&ssh->banner, banner.ptr, banner.len);
}
}
@ -7679,11 +7671,15 @@ static void do_ssh2_userauth(void *vctx)
* banner _anyway_, and moreover the printing of
* the banner will screw up processing on the
* output of (say) plink.)
*
* The banner data has been sanitised already by this
* point, so we can safely send it straight to the
* output channel.
*/
if (size && (flags & (FLAG_VERBOSE | FLAG_INTERACTIVE))) {
char *banner = snewn(size, char);
bufchain_fetch(&ssh->banner, banner, size);
c_write_untrusted(ssh, banner, size);
c_write(ssh, banner, size);
sfree(banner);
}
bufchain_clear(&ssh->banner);

View File

@ -6624,10 +6624,8 @@ int term_ldisc(Terminal *term, int option)
return FALSE;
}
int term_data(Terminal *term, int is_stderr, const void *data, int len)
static void term_added_data(Terminal *term)
{
bufchain_add(&term->inbuf, data, len);
if (!term->in_term_out) {
term->in_term_out = TRUE;
term_reset_cblink(term);
@ -6640,6 +6638,12 @@ int term_data(Terminal *term, int is_stderr, const void *data, int len)
term_out(term);
term->in_term_out = FALSE;
}
}
int term_data(Terminal *term, int is_stderr, const void *data, int len)
{
bufchain_add(&term->inbuf, data, len);
term_added_data(term);
/*
* term_out() always completely empties inbuf. Therefore,
@ -6663,23 +6667,10 @@ int term_data(Terminal *term, int is_stderr, const void *data, int len)
return 0;
}
/*
* Write untrusted data to the terminal.
* The only control character that should be honoured is \n (which
* will behave as a CRLF).
*/
int term_data_untrusted(Terminal *term, const void *vdata, int len)
static void term_data_untrusted(Terminal *term, const void *data, int len)
{
const char *data = (const char *)vdata;
int i;
/* FIXME: more sophisticated checking? */
for (i = 0; i < len; i++) {
if (data[i] == '\n')
term_data(term, 1, "\r\n", 2);
else if (data[i] & 0x60)
term_data(term, 1, data + i, 1);
}
return 0; /* assumes that term_data() always returns 0 */
sanitise_term_data(&term->inbuf, data, len);
term_added_data(term);
}
void term_provide_logctx(Terminal *term, LogContext *logctx)

View File

@ -305,11 +305,6 @@ int from_backend(Frontend *inst, int is_stderr, const void *data, int len)
return term_data(inst->term, is_stderr, data, len);
}
int from_backend_untrusted(Frontend *inst, const void *data, int len)
{
return term_data_untrusted(inst->term, data, len);
}
int from_backend_eof(Frontend *inst)
{
return TRUE; /* do respond to incoming EOF with outgoing */

View File

@ -448,11 +448,16 @@ static void console_close(FILE *outfp, int infd)
static void console_prompt_text(FILE *outfp, const char *data, int len)
{
int i;
bufchain sanitised;
void *vdata;
for (i = 0; i < len; i++)
if ((data[i] & 0x60) || (data[i] == '\n'))
fputc(data[i], outfp);
bufchain_init(&sanitised);
sanitise_term_data(&sanitised, data, len);
while (bufchain_size(&sanitised) > 0) {
bufchain_prefix(&sanitised, &vdata, &len);
fwrite(vdata, 1, len, outfp);
bufchain_consume(&sanitised, len);
}
fflush(outfp);
}

View File

@ -413,16 +413,6 @@ int from_backend(Frontend *frontend, int is_stderr,
}
}
int from_backend_untrusted(Frontend *frontend, const void *data, int len)
{
/*
* No "untrusted" output should get here (the way the code is
* currently, it's all diverted by FLAG_STDERR).
*/
assert(!"Unexpected call to from_backend_untrusted()");
return 0; /* not reached */
}
int from_backend_eof(Frontend *frontend)
{
assert(outgoingeof == EOF_NO);

View File

@ -348,8 +348,16 @@ void logevent(Frontend *frontend, const char *string)
static void console_data_untrusted(HANDLE hout, const char *data, int len)
{
DWORD dummy;
/* FIXME: control-character filtering */
WriteFile(hout, data, len, &dummy, NULL);
bufchain sanitised;
void *vdata;
bufchain_init(&sanitised);
sanitise_term_data(&sanitised, data, len);
while (bufchain_size(&sanitised) > 0) {
bufchain_prefix(&sanitised, &vdata, &len);
WriteFile(hout, vdata, len, &dummy, NULL);
bufchain_consume(&sanitised, len);
}
}
int console_get_userpass_input(prompts_t *p)

View File

@ -5922,11 +5922,6 @@ int from_backend(Frontend *frontend, int is_stderr, const void *data, int len)
return term_data(term, is_stderr, data, len);
}
int from_backend_untrusted(Frontend *frontend, const void *data, int len)
{
return term_data_untrusted(term, data, len);
}
int from_backend_eof(Frontend *frontend)
{
return TRUE; /* do respond to incoming EOF with outgoing */

View File

@ -114,16 +114,6 @@ int from_backend(Frontend *frontend, int is_stderr,
return handle_backlog(stdout_handle) + handle_backlog(stderr_handle);
}
int from_backend_untrusted(Frontend *frontend, const void *data, int len)
{
/*
* No "untrusted" output should get here (the way the code is
* currently, it's all diverted by FLAG_STDERR).
*/
assert(!"Unexpected call to from_backend_untrusted()");
return 0; /* not reached */
}
int from_backend_eof(Frontend *frontend)
{
handle_write_eof(stdout_handle);