From 42e382062cbb4ab456a281b84590f375bd460570 Mon Sep 17 00:00:00 2001
From: Nick Couchman <vnick@apache.org>
Date: Wed, 25 Dec 2019 18:29:07 -0500
Subject: [PATCH] GUACAMOLE-474: Add parameter processing for file
 upload/download disable.

---
 src/protocols/rdp/settings.c | 52 ++++++++++++++++++++++++++++++++++++
 src/protocols/rdp/settings.h | 20 ++++++++++++++
 src/protocols/ssh/settings.c | 24 +++++++++++++++++
 src/protocols/ssh/settings.h | 14 ++++++++++
 src/protocols/vnc/settings.c | 22 +++++++++++++++
 src/protocols/vnc/settings.h | 14 ++++++++++
 6 files changed, 146 insertions(+)

diff --git a/src/protocols/rdp/settings.c b/src/protocols/rdp/settings.c
index fe2cf672..f8192fe2 100644
--- a/src/protocols/rdp/settings.c
+++ b/src/protocols/rdp/settings.c
@@ -55,6 +55,8 @@ const char* GUAC_RDP_CLIENT_ARGS[] = {
     "drive-name",
     "drive-path",
     "create-drive-path",
+    "disable-download",
+    "disable-upload",
     "console",
     "console-audio",
     "server-layout",
@@ -91,6 +93,8 @@ const char* GUAC_RDP_CLIENT_ARGS[] = {
     "sftp-directory",
     "sftp-root-directory",
     "sftp-server-alive-interval",
+    "sftp-disable-download",
+    "sftp-disable-upload",
 #endif
 
     "recording-path",
@@ -214,6 +218,18 @@ enum RDP_ARGS_IDX {
      * drive if it does not yet exist, "false" or blank otherwise.
      */
     IDX_CREATE_DRIVE_PATH,
+    
+    /**
+     * "true" to disable the ability to download files from a remote server to
+     * the local client over RDP, "false" or blank otherwise.
+     */
+    IDX_DISABLE_DOWNLOAD,
+    
+    /**
+     * "true" to disable the ability to upload files from the local client to
+     * the remote server over RDP, "false" or blank otherwise.
+     */
+    IDX_DISABLE_UPLOAD,
 
     /**
      * "true" if this session is a console session, "false" or blank otherwise.
@@ -430,6 +446,20 @@ enum RDP_ARGS_IDX {
      * cases.
      */
     IDX_SFTP_SERVER_ALIVE_INTERVAL,
+    
+    /**
+     * "true" to disable file download from the SFTP server to the local client
+     * over the SFTP connection, if SFTP is configured and enabled.  "false" or
+     * blank otherwise.
+     */
+    IDX_SFTP_DISABLE_DOWNLOAD,
+    
+    /**
+     * "true" to disable file upload from the SFTP server to the local client
+     * over the SFTP connection, if SFTP is configured and enabled.  "false" or
+     * blank otherwise.
+     */
+    IDX_SFTP_DISABLE_UPLOAD,
 #endif
 
     /**
@@ -842,13 +872,25 @@ guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
         guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv,
                 IDX_DRIVE_NAME, "Guacamole Filesystem");
 
+    /* The path on the server to connect the drive. */
     settings->drive_path =
         guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv,
                 IDX_DRIVE_PATH, "");
 
+    /* If the server path should be created if it doesn't already exist. */
     settings->create_drive_path =
         guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
                 IDX_CREATE_DRIVE_PATH, 0);
+    
+    /* If file downloads over RDP should be disabled. */
+    settings->disable_download =
+        guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
+                IDX_DISABLE_DOWNLOAD, 0);
+    
+    /* If file uploads over RDP should be disabled. */
+    settings->disable_upload =
+        guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
+                IDX_DISABLE_UPLOAD, 0);
 
     /* Pick keymap based on argument */
     settings->server_layout = NULL;
@@ -921,6 +963,16 @@ guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
     settings->sftp_server_alive_interval =
         guac_user_parse_args_int(user, GUAC_RDP_CLIENT_ARGS, argv,
                 IDX_SFTP_SERVER_ALIVE_INTERVAL, 0);
+    
+    /* Whether or not to disable file download over SFTP. */
+    settings->sftp_disable_download =
+        guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
+                IDX_SFTP_DISABLE_DOWNLOAD, 0);
+    
+    /* Whether or not to disable file upload over SFTP. */
+    settings->sftp_disable_upload =
+        guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
+                IDX_SFTP_DISABLE_UPLOAD, 0);
 #endif
 
     /* Read recording path */
diff --git a/src/protocols/rdp/settings.h b/src/protocols/rdp/settings.h
index e4c579ed..7e7311b7 100644
--- a/src/protocols/rdp/settings.h
+++ b/src/protocols/rdp/settings.h
@@ -218,6 +218,16 @@ typedef struct guac_rdp_settings {
      * exist.
      */
     int create_drive_path;
+    
+    /**
+     * Whether or not to disable file download over RDP.
+     */
+    int disable_download;
+    
+    /**
+     * Wether or not to disable file upload over RDP.
+     */
+    int disable_upload;
 
     /**
      * Whether this session is a console session.
@@ -440,6 +450,16 @@ typedef struct guac_rdp_settings {
      * cases.
      */
     int sftp_server_alive_interval;
+    
+    /**
+     * Whether or not to disable file download over SFTP.
+     */
+    int sftp_disable_download;
+    
+    /**
+     * Whether or not to disable file upload over SFTP.
+     */
+    int sftp_disable_upload;
 #endif
 
     /**
diff --git a/src/protocols/ssh/settings.c b/src/protocols/ssh/settings.c
index 7dab3215..32c60725 100644
--- a/src/protocols/ssh/settings.c
+++ b/src/protocols/ssh/settings.c
@@ -39,6 +39,8 @@ const char* GUAC_SSH_CLIENT_ARGS[] = {
     "font-size",
     "enable-sftp",
     "sftp-root-directory",
+    "sftp-disable-download",
+    "sftp-disable-upload",
     "private-key",
     "passphrase",
 #ifdef ENABLE_SSH_AGENT
@@ -114,6 +116,18 @@ enum SSH_ARGS_IDX {
      * filesystem guac_object. If omitted, "/" will be used by default.
      */
     IDX_SFTP_ROOT_DIRECTORY,
+    
+    /**
+     * "true" if file downloads over SFTP should be blocked.  "false" or blank
+     * if file downloads should be allowed.
+     */
+    IDX_SFTP_DISABLE_DOWNLOAD,
+    
+    /**
+     * "true" if file uploads over SFTP should be blocked.  "false" or blank if
+     * file uploads should be allowed.
+     */
+    IDX_SFTP_DISABLE_UPLOAD,
 
     /**
      * The private key to use for authentication, if any.
@@ -350,6 +364,16 @@ guac_ssh_settings* guac_ssh_parse_args(guac_user* user,
     settings->sftp_root_directory =
         guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
                 IDX_SFTP_ROOT_DIRECTORY, "/");
+    
+    /* Disable file downloads. */
+    settings->sftp_disable_download =
+        guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,
+                IDX_SFTP_DISABLE_DOWNLAOD, false);
+    
+    /* Disable file uploads. */
+    settings->sftp_disable_upload =
+        guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,
+                IDX_SFTP_DISABLE_UPLOAD, false);
 
 #ifdef ENABLE_SSH_AGENT
     settings->enable_agent =
diff --git a/src/protocols/ssh/settings.h b/src/protocols/ssh/settings.h
index bab21bdf..76221df6 100644
--- a/src/protocols/ssh/settings.h
+++ b/src/protocols/ssh/settings.h
@@ -179,6 +179,20 @@ typedef struct guac_ssh_settings {
      * filesystem guac_object.
      */
     char* sftp_root_directory;
+    
+    /**
+     * Whether file download over SFTP should be disabled.  If set to true, file
+     * downloads will not be allowed over SFTP.  If not set or set to false, file
+     * downloads will be allowed.
+     */
+    bool disable_download;
+    
+    /**
+     * Whether file uploads over SFTP should be disabled.  If set to true, file
+     * uploads will not be allowed over SFTP.  If not set or set to false, file
+     * uploads will be allowed.
+     */
+    bool disable_upload;
 
 #ifdef ENABLE_SSH_AGENT
     /**
diff --git a/src/protocols/vnc/settings.c b/src/protocols/vnc/settings.c
index 21f64057..76b03650 100644
--- a/src/protocols/vnc/settings.c
+++ b/src/protocols/vnc/settings.c
@@ -70,6 +70,8 @@ const char* GUAC_VNC_CLIENT_ARGS[] = {
     "sftp-directory",
     "sftp-root-directory",
     "sftp-server-alive-interval",
+    "sftp-disable-download",
+    "sftp-disable-upload",
 #endif
 
     "recording-path",
@@ -259,6 +261,18 @@ enum VNC_ARGS_IDX {
      * cases.
      */
     IDX_SFTP_SERVER_ALIVE_INTERVAL,
+    
+    /**
+     * If set to "true", file downloads over SFTP will be blocked.  If set to
+     * "false" or not set, file downloads will be allowed.
+     */
+    IDX_SFTP_DISABLE_DOWNLOAD,
+    
+    /**
+     * If set to "true", file uploads over SFTP will be blocked.  If set to
+     * "false" or not set, file uploads will be allowed.
+     */
+    IDX_SFTP_DISABLE_UPLOAD,
 #endif
 
     /**
@@ -486,6 +500,14 @@ guac_vnc_settings* guac_vnc_parse_args(guac_user* user,
     settings->sftp_server_alive_interval =
         guac_user_parse_args_int(user, GUAC_VNC_CLIENT_ARGS, argv,
                 IDX_SFTP_SERVER_ALIVE_INTERVAL, 0);
+    
+    settings->sftp_disable_download =
+        guac_user_parse_args_boolean(user, GUAC_VNC_CLIENT_ARGS, argv,
+                IDX_SFTP_DISABLE_DOWNLOAD, false);
+    
+    settings->sftp_disable_upload =
+        guac_user_parse_args_boolean(user, GUAC_VNC_CLIENT_ARGS, argv,
+                IDX_SFTP_DISABLE_UPLOAD, false);
 #endif
 
     /* Read recording path */
diff --git a/src/protocols/vnc/settings.h b/src/protocols/vnc/settings.h
index 34c08ec9..f2205fb6 100644
--- a/src/protocols/vnc/settings.h
+++ b/src/protocols/vnc/settings.h
@@ -211,6 +211,20 @@ typedef struct guac_vnc_settings {
      * cases.
      */
     int sftp_server_alive_interval;
+    
+    /**
+     * Whether file downloads over SFTP should be blocked.  If set to "true",
+     * the local client will not be able to download files from the SFTP server.
+     * If set to "false" or not set, file downloads will be allowed.
+     */
+    bool sftp_disable_download;
+    
+    /**
+     * Whether file uploads over SFTP should be blocked.  If set to "true", the
+     * local client will not be able to upload files to the SFTP server.  If set
+     * to "false" or not set, file uploads will be allowed.
+     */
+    bool sftp_disable_upload;
 #endif
 
     /**