1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-10 18:07:59 +00:00
Commit Graph

7116 Commits

Author SHA1 Message Date
Simon Tatham
c14f0e02cc Stop selectable GTK message boxes clobbering PRIMARY.
I noticed today that when GTK PuTTY puts up a message box such as a
host key dialog, which calls our create_message_box function with
selectable=true (so that the host key fingerprint can be conveniently
copy-pasted), a side effect is to take the X11 PRIMARY selection away
from whoever previously had it, even though the message box isn't
actually selecting anything right now.

I don't fully understand what's going on, but it apparently has
something to do with 'select on focus' behaviour, in which tabbing
into a selectable text control automatically selects its entire
contents. That makes sense for edit boxes, but not really for this
kind of thing.

Unfortunately, GTK apparently has no per-widget configuration to turn
that off. (The closest I found is not even per _application_: it lives
in GtkSettings, whose documentation says that it's general across all
GTK apps run by a user!)

So instead I work around it by moving the gtk_label_set_selectable
call to after the focus of the new window has already been sorted out.
Ugly, but it seems to work.
2022-11-27 13:18:39 +00:00
Simon Tatham
f4519b6533 Add UTF-8 support to the new Windows ConsoleIO system.
This allows you to set a flag in conio_setup() which causes the
returned ConsoleIO object to interpret all its output as UTF-8, by
translating it to UTF-16 and using WriteConsoleW to write it in
Unicode. Similarly, input is read using ReadConsoleW and decoded from
UTF-16 to UTF-8.

This flag is set to false in most places, to avoid making sudden
breaking changes. But when we're about to present a prompts_t to the
user, it's set from the new 'utf8' flag in that prompt, which in turn
is set by the userauth layer in any case where the prompts are going
to the server.

The idea is that this should be the start of a fix for the long-
standing character-set handling bug that strings transmitted during
SSH userauth (usernames, passwords, k-i prompts and responses) are all
supposed to be in UTF-8, but we've always encoded them in whatever our
input system happens to be using, and not done any tidying up on them.
We get occasional complaints about this from users whose passwords
contain characters that are encoded differently between UTF-8 and
their local encoding, but I've never got round to fixing it because
it's a large piece of engineering.

Indeed, this isn't nearly the end of it. The next step is to add UTF-8
support to all the _other_ ways of presenting a prompts_t, as best we
can.

Like the previous change to console handling, it seems very likely
that this will break someone's workflow. So there's a fallback
command-line option '-legacy-charset-handling' to revert to PuTTY's
previous behaviour.
2022-11-26 10:49:03 +00:00
Simon Tatham
80aed96286 New system for reading prompts from the console.
Until now, the command-line PuTTY tools (PSCP, PSFTP and Plink) have
presented all the kinds of interactive prompt (password/passphrase,
host key, the assorted weak-crypto warnings, 'append to log file?') on
standard error, and read the responses from standard input.

This is unfortunate because if you're redirecting their standard
input (especially likely with Plink) then the prompt responses will
consume some of the intended session data. It would be better to
present the prompts _on the console_, even if that's not where stdin
or stderr point.

On Unix, we've been doing this for ages, by opening /dev/tty directly.
On Windows, we didn't, because I didn't know how. But I've recently
found out: you can open the magic file names CONIN$ and CONOUT$, which
will point at your actual console, if one is available.

So now, if it's possible, the command-line tools will do that. But if
the attempt to open CONIN$ and CONOUT$ fails, they'll fall back to the
old behaviour (in particular, if no console is available at all).

In order to make this happen consistently across all the prompt types,
I've introduced a new object called ConsoleIO, which holds whatever
file handles are necessary, knows whether to close them
afterwards (yes if they were obtained by opening CONFOO$, no if
they're the standard I/O handles), and presents a BinarySink API to
write to them and a custom API to read a line of text.

This seems likely to break _someone's_ workflow. So I've added an
option '-legacy-stdio-prompts' to restore the old behaviour.
2022-11-26 10:48:59 +00:00
Simon Tatham
f91c3127ad split_into_argv: add special case for program name.
In the Windows API, there are two places you can get a command line in
the form of a single unsplit string. One is via the command-line
parameter to WinMain(); the other is by calling GetCommandLine(). But
the two have different semantics: the WinMain command line string is
only the part after the program name, whereas GetCommandLine() returns
the full command line _including_ the program name.

PuTTY has never yet had to parse the full output of GetCommandLine,
but I have plans that will involve it beginning to do so. So I need to
make sure the utility function split_into_argv() can handle it.

This is not trivial because the quoting convention is different for
the program name than for everything else. In the program's normal
arguments, parsed by the C library startup code, the convention is
that backslashes are special when they appear before a double quote,
because that's how you write a literal double quote. But in the
program name, backslashes are _never_ special, because that's how
CreateProcess parses the program name at the start of the command
line, and the C library must follow suit in order to correctly
identify where the program name ends and the arguments begin.

In particular, consider a command line such as this:

    "C:\Program Files\Foo\"foo.exe "hello \"world\""

The \" in the middle of the program name must be treated as a literal
backslash, followed by a non-literal double quote which matches the
one at the start of the string and causes the space in 'Program Files'
to be treated as part of the pathname. But the same \" when it appears
in the subsequent argument is treated as an escaped double quote, and
turns into a literal " in the argument string.

This commit adds support for this special initial-word handling in
split_into_argv(), via an extra boolean argument indicating whether to
turn that mode on. However, all existing call sites set the flag to
false, because the new mode isn't needed _yet_. So there should be no
functional change.
2022-11-26 10:32:36 +00:00
Simon Tatham
dbd0bde415 New utility function burnwcs().
Just like burnstr(), it memsets a NUL-terminated string to all zeroes
before freeing it. The only difference is that it does it to a string
of wchar_t.
2022-11-26 10:32:36 +00:00
Simon Tatham
1625fd8fcb Handle the -batch option centrally in cmdline.c.
This removes one case from several of the individual tools'
command-line parsers, and moves it into a central place where it will
automatically be supported by any tool containing console.c.

In order to make that not cause a link failure, there's now a
stubs/no-console.c which GUI clients of cmdline.c must include.
2022-11-26 10:31:18 +00:00
Simon Tatham
819efc3c21 Support horizontal scroll events in mouse tracking.
Horizontal scroll events aren't generated by the traditional mouse
wheel, but they can be generated by trackpad gestures, though this
isn't always configured on.

The cross-platform and Windows parts of this patch is due to
Christopher Plewright; I added the GTK support.
2022-11-26 10:29:27 +00:00
Simon Tatham
5f2eff2fea Build option to disable scrollback compression.
This was requested by a downstream of the code, who wanted to change
the time/space tradeoff in the terminal. I currently have no plans to
change this setting for upstream PuTTY, although there is a cmake
option for it just to make testing it easy.

To avoid sprinkling ifdefs over the whole terminal code, the strategy
is to keep the separate type 'compressed_scrollback_line', and turn it
into a typedef for a 'termline *'. So compressline() becomes almost
trivial, and decompressline() even more so.

Memory management is the fiddly part. To make this work sensibly on
both sides, I've broken up each of compressline() and decompressline()
into two versions, one of which takes ownership of (and logically
speaking frees) its input, and the other doesn't. So at call sites
where a function was followed by a free, it's now calling the
'and_free' version of the function, and where the input object was
reused afterwards, it's calling the 'no_free' version. This means that
in different branches of the #if, I can make one function call the
other or vice versa, and no call site is stuck with having to do
things in a more roundabout way than necessary.

The freeing of the _return_ value from decompressline() is handled for
us, because termlines already have a 'temporary' flag which is set
when they're returned from the decompressor, and anyone receiving a
termline from lineptr() calls unlineptr() when they're finished with
it, which will _conditionally_ free it, depending on that 'temporary'
flag. So in the new mode, 'temporary' is never set at all, and all
those unlineptr() calls do nothing.

However, we also still need to free compressed lines properly when
they're actually being thrown away (scrolled off the top of the
scrollback, or cleaned up in term_free), and for that, I've made a new
special-purpose free_compressed_line() function.
2022-11-20 15:04:00 +00:00
Simon Tatham
fec6719a2b Fix duplicate call to term_resize_request_completed().
A KDE user observed that if you 'dock' a GTK PuTTY window to the side
of the screen (by dragging it to the RH edge, causing it to
half-maximise over the right-hand half of the display, similarly to
Windows), and then send a terminal resize sequence, then PuTTY fails
the assertion in term_resize_request_completed() which expects that an
unacknowledged resize request was currently in flight.

When drawing_area_setup() calls term_resize_request_completed() in
response to the inst->term_resize_notification_required flag, it
resets the inst->win_resize_pending flag, but doesn't reset
inst->term_resize_notification_required. As a result, the _next_ call
to drawing_area_setup will find that flag still set, and make a
duplicate call to term_resize_request_completed, after the terminal no
longer believes it's waiting for a response to a resize request. And
in this 'docked to the right-hand side of the display' state, KDE
apparently triggers two calls to drawing_area_setup() in quick
succession, making this bug manifest.

I could fix this by clearing inst->term_resize_notification_required.
But inspecting all the other call sites, it seems clear to me that my
original intention was for inst->term_resize_notification_required to
be a flag that's only meaningful if inst->win_resize_pending is set.
So I think a better fix is to conditionalise the check in
drawing_area_setup so that we don't even check
inst->term_resize_notification_required if !inst->win_resize_pending.
2022-11-14 22:21:49 +00:00
Ben Jackson
3cfbd3df0f Support xterm any-event mouse tracking
From https://invisible-island.net/xterm/ctlseqs/ctlseqs.html#h3-Any-event-tracking:

    Any-event mode is the same as button-event mode, except that all motion
    events are reported, even if no mouse button is down.  It is enabled by
    specifying 1003 to DECSET.

Normally the front ends only report mouse events when buttons are
pressed, so we introduce a MA_MOVE event with MBT_NOTHING set to
indicate such a mouse movement.
2022-11-11 17:26:09 +00:00
Simon Tatham
854d78eef3 Fix build failure on Visual Studio.
Unlike clang, VS didn't like me using the value of one 'static const'
integer variable to compute the value of another, and complained
'initializer is not a constant'. Replaced all those variables with an
enum, which should also more reliably ensure that even an
unsophisticated compiler doesn't actually reserve data-section space
for them.
2022-11-11 12:42:19 +00:00
Simon Tatham
d3e186e81b Function to check a UTF-8 string for unknown characters.
So we can reject things we don't know how to NFC yet.
2022-11-11 08:49:05 +00:00
Simon Tatham
b35d23f699 Implement Unicode normalisation.
A new module in 'utils' computes NFC and NFD, via a new set of data
tables generated by read_ucd.py.

The new module comes with a new test program, which can read the
NormalizationTest.txt that appears in the Unicode Character Database.
All the tests pass, as of Unicode 15.
2022-11-11 08:48:18 +00:00
Simon Tatham
4cb429e3f4 Update to Unicode 15.
Now I have a script I can easily re-run, there's no reason not to do
just that! This updates all of the new generated header files for the
UCD.zip that comes with Unicode 15.0.0.

I've re-run my bidi test suite against 15.0.0's file of test cases,
and confirmed they all pass.
2022-11-11 08:44:07 +00:00
Simon Tatham
4bb37233a5 Commit read_ucd.py's output and switch over to it.
This removes the superseded tables in source files, and also all the
code snippets in comments that generated them.
2022-11-11 08:44:07 +00:00
Simon Tatham
430af47a38 Polish the output of read_ucd.py.
The initial outputs were all deliberately inconsistent with each
other, so that each one exactly matched the existing table I was
trying to replace.

Now I've done that check, I can clean them up. Normalised spacing and
case to be consistent; removed pointless indentation (these are now
include files, so they don't have to be indented to the same level as
the array declaration surrounding each one's #include); added a header
comment in each autogenerated file, saying that it's autogenerated,
what it's for, and who it's used by.

The currently supported version number of Unicode is also exposed in a
header file, so that I can put it in diagnostics.
2022-11-11 08:44:01 +00:00
Simon Tatham
b72c9aba28 New script to generate Unicode data tables.
This will replace the various pieces of Perl scattered throughout the
code base in comments above long boring data tables. The idea is that
those long boring tables will move into header files in the new
'unicode' directory, and will be #included from the source files that
use the tables.

One benefit is that I won't have to page tediously past the tables to
get to the actual code I want to edit. But more importantly, it should
now become easy to update to a new version of Unicode, by re-running
just one script and committing the changed versions of all the headers
in the 'unicode' subdir.

This version of the script regenerates six Unicode-derived tables in
the existing source code in a byte-for-byte identical form. In the
next commits I'll clean it up, commit the output, and delete the
tables from their previous locations.

(One table I _haven't_ incorporated into this system is the Arabic
shaping table in bidi.c, because my attempt to regenerate it came out
not matching the original at all. That _might_ be because the table is
based on an old Unicode standard and desperately needs updating, but
it might also be because I misunderstood how it works. So I'll leave
sorting that out for another time.)
2022-11-09 19:21:02 +00:00
Simon Tatham
69e217d23a Make decode_utf8() read from a BinarySource.
This enables it to handle data that isn't presented as a
NUL-terminated string.

In particular, the NUL byte can appear _within_ the string and be
correctly translated to the NUL wide character. So I've been able to
remove the awkwardness in the test rig of having to include the
terminating NUL in every test to ensure NUL has been tested, and
instead, insert a single explicit test for it.

Similarly to the previous commit, the simplification at the (one) call
site gives me a strong feeling of 'this is what the API should have
been all along'!
2022-11-09 19:21:02 +00:00
Simon Tatham
d89f2bfc55 Fix typo in decode_utf8 tests.
The test in question was supposed to contain the spurious UTF-8
encoding that 0xD800 would have if it were not a surrogate. But the
final continuation character 0x80 was instead 0x00.

The test passed anyway, because ED A0 was regarded as a truncated
sequence, instead of ED A0 80 being regarded as an illegal encoding of
a surrogate, and both return the same output!
2022-11-09 19:21:02 +00:00
Simon Tatham
834b58e39b Make encode_utf8() output to a BinarySink.
Previously it output to an ordinary char buffer, and returned the
number of bytes it had written. But three out of the four call sites
immediately chucked the resulting bytes into a BinarySink anyway. The
fourth, in windows/unicode.c, really is writing into successive
locations of a fixed-size buffer - but we can make that into a
BinarySink too, using the buffer_sink added in the previous commit.

So now encode_utf8() is renamed put_utf8_char, and the call sites all
look simpler than they started out.
2022-11-09 19:02:32 +00:00
Simon Tatham
991e22c9bb Implement a BinarySink writing to a fixed-size buffer.
This is one of marshal.c's small collection of handy BinarySink
adapters to existing kinds of thing, alongside stdio_sink and
bufchain_sink. It writes into a fixed-size buffer, discarding all
writes after the buffer fills up, and sets a flag to let you know if
it overflowed.

There was one of these in Windows Pageant a while back, under the name
'struct PageantReply' (introduced in commit b6cbad89fc, removed
again in 98538caa39 when the named-pipe revamp made it
unnecessary). This is the same idea but centralised for reusability.
2022-11-09 19:00:04 +00:00
Jacob Nevins
c8ba48be43 PuTTY WinMain: comment when config box pops up.
It's not entirely obvious, these days.
2022-11-06 02:05:17 +00:00
Jacob Nevins
9209c7ea38 Tweak another certified-host-key-prompt.
Like 5f3b743eb0, specifically reassure the user that taking the
add-to-cache action will not cause the CA that signed the key to be
trusted in any wider context, in the case where there was no previous
certified key cached. (I don't know why I missed this out before.)
2022-11-06 01:56:20 +00:00
Jacob Nevins
68db3d195d Use correct date in cert check error.
When a host certificate was used outside its valid date range, we were
displaying the current time where we meant to show the relevant bound of
the validity range.
2022-11-05 23:57:38 +00:00
Jacob Nevins
f78a1a944f Docs: fix typo in SUPDUP section. 2022-11-02 23:58:23 +00:00
Jacob Nevins
ebceb8bc94 Windows: fix terminal hang with resize forbidden.
A server attempt to resize the window (for instance via DECCOLM) when
"When window is resized" was set to "Forbid resizing completely" would
cause all terminal output to be suspended, due to the resize attempt
never being acknowledged.

(There are other code paths like this, which I've fixed for
completeness, but I don't think they have any effect: the terminal
filters out resize attempts to the current size before this point, and
even if a server can get such a request through the SUPDUP protocol, the
test for that is wrong and will never fire -- this needs fixing
separately.)
2022-11-02 23:51:57 +00:00
Simon Tatham
79b1cb2267 testcrypt: remove some pointless macros.
I just happened to notice ARG1 and ARGN in the code that builds the
dispatch table in process_line(), which aren't used at all, because
they date from a previous version of the testcrypt-func.h macro
system. They were supposed to be replaced everywhere with the unified
ARG.

So why didn't the missing definition of ARG break anything? Because
ARG only ever appears in the variadic part of a FUNC_INNER call - and
for this particular trawl of testcrypt-func.h, the variadic part isn't
ever used in the macro expansion in the first place. So there's no
need to define ARG and VOID to anything at all, not even the empty
string.
2022-10-30 10:38:36 +00:00
Jacob Nevins
f9a8213d95 Docs: add a 'pdf' cmake target.
We still don't build or ship a PDF PuTTY manual by default, but we may
as well conveniently expose Halibut's ability to do so.

(I don't guarantee the resulting PDF is particularly pretty -- some of
our overlong code lines do go off the right margin currently.)
2022-10-29 15:30:26 +01:00
Simon Tatham
d39bcaedba Some checklist updates for the Windows Store.
I didn't actually get these things wrong during the submission of
0.78, but I did notice that I'd forgotten to write them down.
2022-10-29 10:52:29 +01:00
Simon Tatham
2916f92467 Merge tag '0.78', for real this time.
Oops. The previous merge came from a version of the release tag we
ended up not using. This one reflects what really went into the
release.
2022-10-29 10:50:38 +01:00
Simon Tatham
fe2acf9984 Merge tag '0.78' 2022-10-29 08:55:53 +01:00
Simon Tatham
4ff82ab29a Update version number for 0.78 release. 2022-10-28 18:19:19 +01:00
Simon Tatham
475c23875e Unix: stop accessing ctrl->fileselect for font selectors.
The setup code for CTRL_FILESELECT and CTRL_FONTSELECT is shared,
which means it's a mistake to test ctrl->fileselect.just_button in it
without first checking which control type we're actually dealing with.

UBsan picks this up by complaining that the just_button field contains
some byte value that's illegal for a boolean. I think it's also the
cause of an intermittent assertion failure reported recently, in which
dlg_fontsel_set finds that uc->entry is NULL when it never ought to
be. If the byte from the wrong union branch happened to be 0 by sheer
bad luck, that could give rise to exactly that failure.
2022-10-28 17:49:59 +01:00
Jacob Nevins
329a4cdd79 authplugin-example.py: Flush stderr.
Python 3's stderr was fully-buffered when non-interactive, unlike
Python 2 and more or less everything else, until 3.9 in 2020(!):
https://bugs.python.org/issue13601

(It would be less faff to sys.stderr.reconfigure(line_buffering=True)
at the start, but that was only added in 3.7, whereas the 'flush'
argument to print() dates back to 3.3, so I chose that to minimise
the risk of version dependencies getting in the way of using this as
a working example.)
2022-10-24 12:52:44 +01:00
Jacob Nevins
538c8fd29c authplugin-example.py: Mention documentation.
(Just in case anyone's entry point is this example, and concludes they
have to reverse-engineer the protocol from the script.)
2022-10-24 12:50:58 +01:00
Simon Tatham
63edea07db Update version number for 0.78 release. 2022-10-23 18:00:14 +01:00
Simon Tatham
9701a3dcaa Merge osc_strlen fix from 'pre-0.78'. 2022-10-23 17:46:00 +01:00
Simon Tatham
a7106d8eb2 Add missing initialisation of term->osc_strlen.
An uninitialised value could have got as far as do_osc() via the
relatively recent code path for early termination of an OSC before
it's fully set up.
2022-10-23 17:45:51 +01:00
Simon Tatham
8b751c71c9 Merge -pwfile semantics fix from 'pre-0.78'. 2022-10-23 14:14:28 +01:00
Simon Tatham
bdb3ac9f3b Restrict -pwfile / -pw to apply to server prompts only.
Jacob spotted that an unused -pwfile input can be accidentally used as
the answer to Plink's antispoof 'press Return to begin session'
prompt, which is unintended and confusing.

To fix that, I've made the use of a command-line password conditional
on p->to_server, the flag in a prompts_t that indicates whether the
results of the prompts are going to be sent directly to the server or
consumed locally by PuTTY. (And I've also corrected the setting of
to_server in the antispoof prompt, which was true when it should have
been false.)

A side effect of this is that -pwfile will no longer work to provide a
private-key passphrase, if you're using public-key authentication
without Pageant. This is deliberate, because if you're doing that on
purpose then Pageant is a better way to achieve the same thing (or
else just store the key unencrypted, which is no worse); but in the
case of a server that sequentially demands public-key _and_ password
authentication, the new behaviour makes -pwfile apply to the right one
of the two prompts, i.e. the actual password.
2022-10-23 14:13:55 +01:00
Jacob Nevins
b2dbde11ce Merge comment fix from 'pre-0.78'. 2022-10-23 12:39:53 +01:00
Jacob Nevins
2fbb9284f3 Fix outdated comment relating to -pw. 2022-10-23 12:38:00 +01:00
Jacob Nevins
f7e86ca267 README: remove mention of doc/Makefile.
While cmake might create it, it's not something we ship any more.

This is a combined cherry-pick of:
  afebe8027f
  f229aab20c
2022-10-23 12:37:20 +01:00
Jacob Nevins
f229aab20c Rewrap a paragraph in README. 2022-10-23 12:36:24 +01:00
Jacob Nevins
afebe8027f README: remove mention of doc/Makefile.
While cmake might create it, it's not something we ship any more.
2022-10-22 09:59:02 +01:00
Simon Tatham
25d0a85c1f Merge build fix and checklist update from 'pre-0.78'. 2022-10-22 08:24:29 +01:00
Simon Tatham
0c59d49683 Update the pre-release-candidate testing checklist.
Removed 'try cmake 3.7 on Windows': I think that's not really
necessary, because Windows doesn't have the concept of an old overall
distro that makes it hard to upgrade a particular build tool.

On the other hand, added a big pile of other things I'd like not to
forget.
2022-10-22 08:23:06 +01:00
Simon Tatham
d2795e5cb5 Fix build with GTK3 prior to 3.22.23.
Those versions of GTK (or rather, GDK) don't support the
GDK_WINDOW_STATE_TOP_TILED constants; they only support the
non-directional GDK_WINDOW_STATE_TILED. And GTK < 3.10.0 doesn't even
support that.

All those constants were under #ifdef already; I've just made the
ifdefs a bit more precise.
2022-10-22 07:48:56 +01:00
Jacob Nevins
2622e5266b Merge cert expr tweak from 'pre-0.78'. 2022-10-22 01:25:13 +01:00
Jacob Nevins
75ac444324 Document subdomain matching of cert expr wildcards.
In the manual, in comments, and in a new test.
2022-10-22 01:22:10 +01:00