simon-git: putty (master): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Wed Feb 20 18:52:56 GMT 2019 

TL;DR:
  bc1aa9c6 Add BinarySink wrappers on existing forms of output.
  f9b1a2bb New Windows utility function: is_console_handle().
  6593009b New utility object, StripCtrlChars.
  462b8c7b Give FORCE_ON / FORCE_OFF / AUTO an enum name.
  91cf47dd Plink: default to sanitising non-tty console output.
  2675f957 File transfer tools: sanitise remote filenames and stderr.

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: master
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2019-02-20 18:52:56

commit bc1aa9c656c8aa390329329ac0fdc6c2de89d547
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=bc1aa9c656c8aa390329329ac0fdc6c2de89d547;hp=5dadbdf55657f9cc5e15e9fae5c30142b7fdbf45
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Feb 20 06:52:54 2019 +0000

    Add BinarySink wrappers on existing forms of output.
    
    There's now a stdio_sink, whose write function calls fwrite on the
    given FILE *; a bufchain_sink, whose write function appends to the
    given bufchain; and on Windows there's a handle_sink whose write
    function writes to the given 'struct handle'. (That is, not the raw
    Windows HANDLE, but our event-loop-friendly wrapper on it.)
    
    Not yet used for anything, but they're about to be.

 defs.h             |  3 +++
 marshal.c          | 24 ++++++++++++++++++++++++
 marshal.h          | 19 +++++++++++++++++++
 windows/winhandl.c | 12 ++++++++++++
 windows/winstuff.h |  7 +++++++
 5 files changed, 65 insertions(+)

commit f9b1a2bbc24f846e19b65167de76ef9ec30a87ff
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=f9b1a2bbc24f846e19b65167de76ef9ec30a87ff;hp=bc1aa9c656c8aa390329329ac0fdc6c2de89d547
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Feb 20 06:54:51 2019 +0000

    New Windows utility function: is_console_handle().
    
    Rather like isatty() on Unix, this tells you if a raw Windows HANDLE
    points at a console or not. Useful to know if your standard output or
    standard error is going to be shown to a user, or redirected to
    something that will make automated use of it.

 windows/winmiscs.c | 8 ++++++++
 windows/winstuff.h | 2 ++
 2 files changed, 10 insertions(+)

commit 6593009b0eab99839ed7aec9343b16fe25b25436
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=6593009b0eab99839ed7aec9343b16fe25b25436;hp=f9b1a2bbc24f846e19b65167de76ef9ec30a87ff
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Feb 20 06:56:40 2019 +0000

    New utility object, StripCtrlChars.
    
    This is for sanitising output that's going to be sent to a terminal,
    if you don't want it to be able to send arbitrary escape sequences and
    thereby (for example) move the cursor back up to existing text on the
    screen and overprint it confusingly.
    
    It works using the standard C library: we convert to a wide-character
    string and back, and then use wctype.h to spot control characters in
    the intermediate form. This means its idea of the conversion character
    set is locale-based rather than any of our own charset library's fixed
    settings - which is what you want if the aim is to protect your local
    terminal (which we assume the system locale represents accurately).
    
    This also means that the sanitiser strips things that will _act_ as
    control characters when sent to the local terminal, whether or not
    they were intended as control characters by a server that might have
    had a different character set in mind. Since the main aim is to
    protect the local terminal rather than to faithfully replicate the
    server's intention, I think that's the right criterion.
    
    It only strips control characters at the charset-independent layer,
    like backspace, carriage return and the escape character: wctype.h
    classifies those as control characters, but classifies as printing all
    of the more Unicode-specific controls like bidirectional overrides.
    But that's enough to prevent cursor repositioning, for example.
    
    stripctrl.c comes with a test main() of its own, which I wasn't able
    to fold into testcrypt and put in the test suite because of its
    dependence on the system locale - it wouldn't be guaranteed to work
    the same way on different test systems anyway.
    
    A knock-on build tweak: because you can feed data into this sanitiser
    in chunks of arbitrary size, including partial multibyte chars, I had
    to use mbrtowc() for the decoding, and that means that in the 'old'
    Win32 builds I have to link against the Visual Studio C++ library as
    well as the C library, because for some reason that's where mbrtowc
    lived in VS2003.

 .gitignore  |   1 +
 Buildscr    |   2 +-
 defs.h      |   2 +
 misc.h      |  18 ++++
 mkfiles.pl  |   4 +-
 stripctrl.c | 276 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 301 insertions(+), 2 deletions(-)

commit 462b8c7b8483db0c634c5d6727d2ea49c1be67ec
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=462b8c7b8483db0c634c5d6727d2ea49c1be67ec;hp=6593009b0eab99839ed7aec9343b16fe25b25436
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Feb 20 07:02:34 2019 +0000

    Give FORCE_ON / FORCE_OFF / AUTO an enum name.
    
    That will let me declare variables of that type: it's 'enum TriState'.

 putty.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

commit 91cf47dd0d740b171a8ab9f3b93575a10d739560
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=91cf47dd0d740b171a8ab9f3b93575a10d739560;hp=462b8c7b8483db0c634c5d6727d2ea49c1be67ec
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Feb 20 07:03:57 2019 +0000

    Plink: default to sanitising non-tty console output.
    
    If Plink's standard output and/or standard error points at a Windows
    console or a Unix tty device, and if Plink was not configured to
    request a remote pty (and hence to send a terminal-type string), then
    we apply the new control-character stripping facility.
    
    The idea is to be a mild defence against malicious remote processes
    sending confusing escape sequences through the standard error channel
    when Plink is being used as a transport for something like git: it's
    OK to have actual sensible error messages come back from the server,
    but when you run a git command, you didn't really intend to give the
    remote server the implicit licence to write _all over_ your local
    terminal display. At the same time, in that scenario, the standard
    _output_ of Plink is left completely alone, on the grounds that git
    will be expecting it to be 8-bit clean. (And Plink can tell that
    because it's redirected away from the console.)
    
    For interactive login sessions using Plink, this behaviour is
    disabled, on the grounds that once you've sent a terminal-type string
    it's assumed that you were _expecting_ the server to use it to know
    what escape sequences to send to you.
    
    So it should be transparent for all the use cases I've so far thought
    of. But in case it's not, there's a family of new command-line options
    like -no-sanitise-stdout and -sanitise-stderr that you can use to
    forcibly override the autodetection of whether to do it.
    
    This all applies the same way to both Unix and Windows Plink.

 Recipe             |  4 ++--
 doc/plink.but      | 46 +++++++++++++++++++++++++++++++++++++
 unix/uxplink.c     | 66 +++++++++++++++++++++++++++++++++++++++++++++++-------
 windows/winplink.c | 58 ++++++++++++++++++++++++++++++++++++++++++-----
 4 files changed, 159 insertions(+), 15 deletions(-)

commit 2675f9578daf662ea5338e54ebe4825b2ff35597
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=2675f9578daf662ea5338e54ebe4825b2ff35597;hp=91cf47dd0d740b171a8ab9f3b93575a10d739560
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Feb 20 07:09:10 2019 +0000

    File transfer tools: sanitise remote filenames and stderr.
    
    This commit adds sanitisation to PSCP and PSFTP in the same style as
    I've just put it into Plink. This time, standard error is sanitised
    without reference to whether it's redirected (at least unless you give
    an override option), on the basis that where Plink is _sometimes_ an
    SSH transport for some other protocol, PSCP and PSFTP _always_ are.
    
    But also, the sanitiser is run over any remote filename sent by the
    server, substituting ? for any control characters it finds. That
    removes another avenue for the server to deliberately confuse the
    display.
    
    This commit fixes our bug 'pscp-unsanitised-server-output', aka the
    two notional 'vulnerabilities' CVE-2019-6109 and CVE-2019-6110.
    (Although we regard those in isolation as only bugs, not serious
    vulnerabilities, because their main threat was in hiding the evidence
    of a server having exploited other more serious vulns that we never
    had.)

 Recipe        |   2 +-
 doc/pscp.but  |  10 +++++
 doc/psftp.but |   9 +++++
 pscp.c        | 119 +++++++++++++++++++++++++++++++++++++++++-----------------
 psftp.c       | 114 +++++++++++++++++++++++++++++++++++++++----------------
 5 files changed, 186 insertions(+), 68 deletions(-)

More information about the tartarus-commits mailing list