nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-01 03:22:48 -05:00
Code Issues Projects Releases Wiki Activity

Plink: default to sanitising non-tty console output.

Browse Source 
If Plink's standard output and/or standard error points at a Windows
console or a Unix tty device, and if Plink was not configured to
request a remote pty (and hence to send a terminal-type string), then
we apply the new control-character stripping facility.

The idea is to be a mild defence against malicious remote processes
sending confusing escape sequences through the standard error channel
when Plink is being used as a transport for something like git: it's
OK to have actual sensible error messages come back from the server,
but when you run a git command, you didn't really intend to give the
remote server the implicit licence to write _all over_ your local
terminal display. At the same time, in that scenario, the standard
_output_ of Plink is left completely alone, on the grounds that git
will be expecting it to be 8-bit clean. (And Plink can tell that
because it's redirected away from the console.)

For interactive login sessions using Plink, this behaviour is
disabled, on the grounds that once you've sent a terminal-type string
it's assumed that you were _expecting_ the server to use it to know
what escape sequences to send to you.

So it should be transparent for all the use cases I've so far thought
of. But in case it's not, there's a family of new command-line options
like -no-sanitise-stdout and -sanitise-stderr that you can use to
forcibly override the autodetection of whether to do it.

This all applies the same way to both Unix and Windows Plink.
This commit is contained in:
Simon Tatham
2019-02-20 07:03:57 +00:00
parent 462b8c7b84
commit 91cf47dd0d
4 changed files with 159 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
doc/plink.but
View File

@ -79,6 +79,8 @@ use Plink:
\c -share enable use of connection sharing
\c -hostkey aa:bb:cc:...
\c manually specify a host key (may be repeated)
\c -sanitise-stderr, -sanitise-stdout, -no-sanitise-stderr, -no-sanitise-stdout
\c do/don't strip control chars from standard output/error
\c -m file read remote command(s) from file
\c -s remote command is an SSH subsystem (SSH-2 only)
\c -N don't start a shell/command (SSH-2 only)
@ -282,6 +284,50 @@ zero exit status if a usable \q{upstream} exists, nonzero otherwise.
(This option is only meaningful with the SSH-2 protocol.)
\S2{plink-option-sanitise} \I{-sanitise-stderr}\I{-sanitise-stdout}\I{-no-sanitise-stderr}\I{-no-sanitise-stdout}\c{-sanitise-}\e{stream}: control output sanitisation
In some situations, Plink applies a sanitisation pass to the output
received from the server, to strip out control characters such as
backspace and the escape character.
The idea of this is to prevent remote processes from sending confusing
escape sequences through the standard error channel when Plink is
being used as a transport for something like \cw{git} or CVS. If the
server actually wants to send an error message, it will probably be
plain text; if the server abuses that channel to try to write over
unexpected parts of your terminal display, Plink will try to stop it.
By default, this only happens for output channels which are sent to a
Windows console device, or a Unix terminal device. (Any output stream
going somewhere else is likely to be needed by an 8-bit protocol and
must not be tampered with at all.) It also stops happening if you tell
Plink to allocate a remote pseudo-terminal (see \k{using-cmdline-pty}
and \k{config-ssh-pty}), on the basis that in that situation you often
\e{want} escape sequences from the server to go to your terminal.
But in case Plink guesses wrong about whether you want this
sanitisation, you can override it in either direction, using one of
these options:
\dd \c{-sanitise-stderr}
\dt Sanitise server data written to Plink's standard error channel,
regardless of terminals and consoles and remote ptys.
\dd \c{-no-sanitise-stderr}
\dt Do not sanitise server data written to Plink's standard error
channel.
\dd \c{-sanitise-stdout}
\dt Sanitise server data written to Plink's standard output channel.
\dd \c{-no-sanitise-stdout}
\dt Do not sanitise server data written to Plink's standard output
channel.
\H{plink-batch} Using Plink in \i{batch files} and \i{scripts}
Once you have set up Plink to be able to log in to a remote server