mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-07-01 11:32:48 -05:00
Plink: default to sanitising non-tty console output.
If Plink's standard output and/or standard error points at a Windows console or a Unix tty device, and if Plink was not configured to request a remote pty (and hence to send a terminal-type string), then we apply the new control-character stripping facility. The idea is to be a mild defence against malicious remote processes sending confusing escape sequences through the standard error channel when Plink is being used as a transport for something like git: it's OK to have actual sensible error messages come back from the server, but when you run a git command, you didn't really intend to give the remote server the implicit licence to write _all over_ your local terminal display. At the same time, in that scenario, the standard _output_ of Plink is left completely alone, on the grounds that git will be expecting it to be 8-bit clean. (And Plink can tell that because it's redirected away from the console.) For interactive login sessions using Plink, this behaviour is disabled, on the grounds that once you've sent a terminal-type string it's assumed that you were _expecting_ the server to use it to know what escape sequences to send to you. So it should be transparent for all the use cases I've so far thought of. But in case it's not, there's a family of new command-line options like -no-sanitise-stdout and -sanitise-stderr that you can use to forcibly override the autodetection of whether to do it. This all applies the same way to both Unix and Windows Plink.
This commit is contained in:
Simon Tatham
@ -33,6 +33,9 @@ void cmdline_error(const char *fmt, ...)
|
||||
|
||||
HANDLE inhandle, outhandle, errhandle;
|
||||
struct handle *stdin_handle, *stdout_handle, *stderr_handle;
|
||||
handle_sink stdout_hs, stderr_hs;
|
||||
StripCtrlChars *stdout_scc, *stderr_scc;
|
||||
BinarySink *stdout_bs, *stderr_bs;
|
||||
DWORD orig_console_mode;
|
||||
|
||||
WSAEVENT netevent;
|
||||
@ -64,11 +67,8 @@ static void plink_echoedit_update(Seat *seat, bool echo, bool edit)
|
||||
static size_t plink_output(
|
||||
Seat *seat, bool is_stderr, const void *data, size_t len)
|
||||
{
|
||||
if (is_stderr) {
|
||||
handle_write(stderr_handle, data, len);
|
||||
} else {
|
||||
handle_write(stdout_handle, data, len);
|
||||
}
|
||||
BinarySink *bs = is_stderr ? stderr_bs : stdout_bs;
|
||||
put_data(bs, data, len);
|
||||
|
||||
return handle_backlog(stdout_handle) + handle_backlog(stderr_handle);
|
||||
}
|
||||
@ -165,6 +165,10 @@ static void usage(void)
|
||||
printf(" -share enable use of connection sharing\n");
|
||||
printf(" -hostkey aa:bb:cc:...\n");
|
||||
printf(" manually specify a host key (may be repeated)\n");
|
||||
printf(" -sanitise-stderr, -sanitise-stdout, "
|
||||
"-no-sanitise-stderr, -no-sanitise-stdout\n");
|
||||
printf(" do/don't strip control chars from standard "
|
||||
"output/error\n");
|
||||
printf(" -m file read remote command(s) from file\n");
|
||||
printf(" -s remote command is an SSH subsystem (SSH-2 only)\n");
|
||||
printf(" -N don't start a shell/command (SSH-2 only)\n");
|
||||
@ -263,6 +267,7 @@ int main(int argc, char **argv)
|
||||
bool errors;
|
||||
bool use_subsystem = false;
|
||||
bool just_test_share_exists = false;
|
||||
enum TriState sanitise_stdout = AUTO, sanitise_stderr = AUTO;
|
||||
unsigned long now, next, then;
|
||||
const struct BackendVtable *vt;
|
||||
|
||||
@ -334,6 +339,18 @@ int main(int argc, char **argv)
|
||||
exit(1);
|
||||
} else if (!strcmp(p, "-shareexists")) {
|
||||
just_test_share_exists = true;
|
||||
} else if (!strcmp(p, "-sanitise-stdout") ||
|
||||
!strcmp(p, "-sanitize-stdout")) {
|
||||
sanitise_stdout = FORCE_ON;
|
||||
} else if (!strcmp(p, "-no-sanitise-stdout") ||
|
||||
!strcmp(p, "-no-sanitize-stdout")) {
|
||||
sanitise_stdout = FORCE_OFF;
|
||||
} else if (!strcmp(p, "-sanitise-stderr") ||
|
||||
!strcmp(p, "-sanitize-stderr")) {
|
||||
sanitise_stderr = FORCE_ON;
|
||||
} else if (!strcmp(p, "-no-sanitise-stderr") ||
|
||||
!strcmp(p, "-no-sanitize-stderr")) {
|
||||
sanitise_stderr = FORCE_OFF;
|
||||
} else if (*p != '-') {
|
||||
char *command;
|
||||
int cmdlen, cmdsize;
|
||||
@ -482,6 +499,37 @@ int main(int argc, char **argv)
|
||||
*/
|
||||
stdout_handle = handle_output_new(outhandle, stdouterr_sent, NULL, 0);
|
||||
stderr_handle = handle_output_new(errhandle, stdouterr_sent, NULL, 0);
|
||||
handle_sink_init(&stdout_hs, stdout_handle);
|
||||
handle_sink_init(&stderr_hs, stderr_handle);
|
||||
stdout_bs = BinarySink_UPCAST(&stdout_hs);
|
||||
stderr_bs = BinarySink_UPCAST(&stderr_hs);
|
||||
|
||||
/*
|
||||
* Decide whether to sanitise control sequences out of standard
|
||||
* output and standard error.
|
||||
*
|
||||
* If we weren't given a command-line override, we do this if (a)
|
||||
* the fd in question is pointing at a console, and (b) we aren't
|
||||
* trying to allocate a terminal as part of the session.
|
||||
*
|
||||
* (Rationale: the risk of control sequences is that they cause
|
||||
* confusion when sent to a local console, so if there isn't one,
|
||||
* no problem. Also, if we allocate a remote terminal, then we
|
||||
* sent a terminal type, i.e. we told it what kind of escape
|
||||
* sequences we _like_, i.e. we were expecting to receive some.)
|
||||
*/
|
||||
if (sanitise_stdout == FORCE_ON ||
|
||||
(sanitise_stdout == AUTO && is_console_handle(outhandle) &&
|
||||
conf_get_bool(conf, CONF_nopty))) {
|
||||
stdout_scc = stripctrl_new(stdout_bs, true, L'\0');
|
||||
stdout_bs = BinarySink_UPCAST(stdout_scc);
|
||||
}
|
||||
if (sanitise_stderr == FORCE_ON ||
|
||||
(sanitise_stderr == AUTO && is_console_handle(errhandle) &&
|
||||
conf_get_bool(conf, CONF_nopty))) {
|
||||
stderr_scc = stripctrl_new(stderr_bs, true, L'\0');
|
||||
stderr_bs = BinarySink_UPCAST(stderr_scc);
|
||||
}
|
||||
|
||||
main_thread_id = GetCurrentThreadId();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user