GUACAMOLE-474: Merge support for selectively disabling file uploads and downloads.

This commit is contained in:
Mike Jumper 2020-06-07 16:30:37 -07:00 committed by GitHub
commit e526174009
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 243 additions and 25 deletions

View File

@ -70,6 +70,16 @@ typedef struct guac_common_ssh_sftp_filesystem {
*/ */
char upload_path[GUAC_COMMON_SSH_SFTP_MAX_PATH]; char upload_path[GUAC_COMMON_SSH_SFTP_MAX_PATH];
/**
* If downloads from SFTP to the local browser should be disabled.
*/
int disable_download;
/**
* If uploads from the local browser to SFTP should be disabled.
*/
int disable_upload;
} guac_common_ssh_sftp_filesystem; } guac_common_ssh_sftp_filesystem;
/** /**
@ -123,12 +133,19 @@ typedef struct guac_common_ssh_sftp_ls_state {
* to a user, or NULL to automatically generate a name from the provided * to a user, or NULL to automatically generate a name from the provided
* root_path. * root_path.
* *
* @param disable_download
* Whether downloads from the SFTP share to the local browser should be
* disabled.
*
* @param disable_upload
* Whether uploads from the local browser to SFTP should be disabled.
*
* @return * @return
* A new SFTP filesystem object, not yet exposed to users. * A new SFTP filesystem object, not yet exposed to users.
*/ */
guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem( guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem(
guac_common_ssh_session* session, const char* root_path, guac_common_ssh_session* session, const char* root_path,
const char* name); const char* name, int disable_download, int disable_upload);
/** /**
* Destroys the given filesystem object, disconnecting from SFTP and freeing * Destroys the given filesystem object, disconnecting from SFTP and freeing

View File

@ -429,7 +429,7 @@ int guac_common_ssh_sftp_handle_file_stream(
/** /**
* Handler for ack messages which continue an outbound SFTP data transfer * Handler for ack messages which continue an outbound SFTP data transfer
* (download), signalling the current status and requesting additional data. * (download), signaling the current status and requesting additional data.
* The data associated with the given stream is expected to be a pointer to an * The data associated with the given stream is expected to be a pointer to an
* open LIBSSH2_SFTP_HANDLE for the file from which the data is to be read. * open LIBSSH2_SFTP_HANDLE for the file from which the data is to be read.
* *
@ -786,6 +786,14 @@ static int guac_common_ssh_sftp_get_handler(guac_user* user,
/* Otherwise, send file contents */ /* Otherwise, send file contents */
else { else {
/* If downloads are disabled, log and return. */
if (filesystem->disable_download) {
guac_user_log(user, GUAC_LOG_INFO,
"Unable to download file \"%s\", "
"file downloads have been disabled.", fullpath);
return 0;
}
/* Open as normal file */ /* Open as normal file */
LIBSSH2_SFTP_HANDLE* file = libssh2_sftp_open(sftp, fullpath, LIBSSH2_SFTP_HANDLE* file = libssh2_sftp_open(sftp, fullpath,
LIBSSH2_FXF_READ, 0); LIBSSH2_FXF_READ, 0);
@ -902,7 +910,11 @@ guac_object* guac_common_ssh_alloc_sftp_filesystem_object(
/* Init filesystem */ /* Init filesystem */
guac_object* fs_object = guac_user_alloc_object(user); guac_object* fs_object = guac_user_alloc_object(user);
fs_object->get_handler = guac_common_ssh_sftp_get_handler; fs_object->get_handler = guac_common_ssh_sftp_get_handler;
/* Only handle uploads if not disabled. */
if (!filesystem->disable_upload)
fs_object->put_handler = guac_common_ssh_sftp_put_handler; fs_object->put_handler = guac_common_ssh_sftp_put_handler;
fs_object->data = filesystem; fs_object->data = filesystem;
/* Send filesystem to user */ /* Send filesystem to user */
@ -915,7 +927,7 @@ guac_object* guac_common_ssh_alloc_sftp_filesystem_object(
guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem( guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem(
guac_common_ssh_session* session, const char* root_path, guac_common_ssh_session* session, const char* root_path,
const char* name) { const char* name, int disable_download, int disable_upload) {
/* Request SFTP */ /* Request SFTP */
LIBSSH2_SFTP* sftp_session = libssh2_sftp_init(session->session); LIBSSH2_SFTP* sftp_session = libssh2_sftp_init(session->session);
@ -930,6 +942,10 @@ guac_common_ssh_sftp_filesystem* guac_common_ssh_create_sftp_filesystem(
filesystem->ssh_session = session; filesystem->ssh_session = session;
filesystem->sftp_session = sftp_session; filesystem->sftp_session = sftp_session;
/* Copy over disable flags */
filesystem->disable_download = disable_download;
filesystem->disable_upload = disable_upload;
/* Normalize and store the provided root path */ /* Normalize and store the provided root path */
if (!guac_common_ssh_sftp_normalize_path(filesystem->root_path, if (!guac_common_ssh_sftp_normalize_path(filesystem->root_path,
root_path)) { root_path)) {

View File

@ -114,9 +114,13 @@ void guac_rdpdr_fs_process_create(guac_rdp_common_svc* svc,
/* Create \Download if it doesn't exist */ /* Create \Download if it doesn't exist */
file = guac_rdp_fs_get_file((guac_rdp_fs*) device->data, file_id); file = guac_rdp_fs_get_file((guac_rdp_fs*) device->data, file_id);
if (file != NULL && strcmp(file->absolute_path, "\\") == 0) { if (file != NULL && strcmp(file->absolute_path, "\\") == 0) {
/* Only create Download folder if downloads are enabled. */
if (!((guac_rdp_fs*) devices->data)->disable_download) {
int download_id = int download_id =
guac_rdp_fs_open((guac_rdp_fs*) device->data, "\\Download", guac_rdp_fs_open((guac_rdp_fs*) device->data, "\\Download",
GENERIC_READ, 0, FILE_OPEN_IF, FILE_DIRECTORY_FILE); GENERIC_READ, 0, FILE_OPEN_IF, FILE_DIRECTORY_FILE);
}
if (download_id >= 0) if (download_id >= 0)
guac_rdp_fs_close((guac_rdp_fs*) device->data, download_id); guac_rdp_fs_close((guac_rdp_fs*) device->data, download_id);
@ -261,8 +265,9 @@ void guac_rdpdr_fs_process_close(guac_rdp_common_svc* svc,
return; return;
/* If file was written to, and it's in the \Download folder, start stream */ /* If file was written to, and it's in the \Download folder, start stream */
if (file->bytes_written > 0 && if (file->bytes_written > 0
strncmp(file->absolute_path, "\\Download\\", 10) == 0) { && strncmp(file->absolute_path, "\\Download\\", 10) == 0
&& !((guac_rdp_fs*) device->data)->disable_download) {
guac_client_for_owner(svc->client, guac_rdp_download_to_user, file->absolute_path); guac_client_for_owner(svc->client, guac_rdp_download_to_user, file->absolute_path);
guac_rdp_fs_delete((guac_rdp_fs*) device->data, iorequest->file_id); guac_rdp_fs_delete((guac_rdp_fs*) device->data, iorequest->file_id);
} }

View File

@ -43,7 +43,7 @@
#include <unistd.h> #include <unistd.h>
guac_rdp_fs* guac_rdp_fs_alloc(guac_client* client, const char* drive_path, guac_rdp_fs* guac_rdp_fs_alloc(guac_client* client, const char* drive_path,
int create_drive_path) { int create_drive_path, int disable_download, int disable_upload) {
/* Create drive path if it does not exist */ /* Create drive path if it does not exist */
if (create_drive_path) { if (create_drive_path) {
@ -65,6 +65,8 @@ guac_rdp_fs* guac_rdp_fs_alloc(guac_client* client, const char* drive_path,
fs->drive_path = strdup(drive_path); fs->drive_path = strdup(drive_path);
fs->file_id_pool = guac_pool_alloc(0); fs->file_id_pool = guac_pool_alloc(0);
fs->open_files = 0; fs->open_files = 0;
fs->disable_download = disable_download;
fs->disable_upload = disable_upload;
return fs; return fs;
@ -81,7 +83,11 @@ guac_object* guac_rdp_fs_alloc_object(guac_rdp_fs* fs, guac_user* user) {
/* Init filesystem */ /* Init filesystem */
guac_object* fs_object = guac_user_alloc_object(user); guac_object* fs_object = guac_user_alloc_object(user);
fs_object->get_handler = guac_rdp_download_get_handler; fs_object->get_handler = guac_rdp_download_get_handler;
/* Assign handler only if uploads are not disabled. */
if (!fs->disable_upload)
fs_object->put_handler = guac_rdp_upload_put_handler; fs_object->put_handler = guac_rdp_upload_put_handler;
fs_object->data = fs; fs_object->data = fs;
/* Send filesystem to user */ /* Send filesystem to user */

View File

@ -220,6 +220,16 @@ typedef struct guac_rdp_fs {
*/ */
guac_rdp_fs_file files[GUAC_RDP_FS_MAX_FILES]; guac_rdp_fs_file files[GUAC_RDP_FS_MAX_FILES];
/**
* If downloads from the remote server to the browser should be disabled.
*/
int disable_download;
/**
* If uploads from the browser to the remote server should be disabled.
*/
int disable_upload;
} guac_rdp_fs; } guac_rdp_fs;
/** /**
@ -259,11 +269,19 @@ typedef struct guac_rdp_fs_info {
* Non-zero if the drive path specified should be automatically created if * Non-zero if the drive path specified should be automatically created if
* it does not yet exist, zero otherwise. * it does not yet exist, zero otherwise.
* *
* @param disable_download
* Non-zero if downloads from the remote server to the local browser should
* be disabled.
*
* @param disable_upload
* Non-zero if uploads from the browser to the remote server should be
* disabled.
*
* @return * @return
* The newly-allocated filesystem. * The newly-allocated filesystem.
*/ */
guac_rdp_fs* guac_rdp_fs_alloc(guac_client* client, const char* drive_path, guac_rdp_fs* guac_rdp_fs_alloc(guac_client* client, const char* drive_path,
int create_drive_path); int create_drive_path, int disable_download, int disable_upload);
/** /**
* Frees the given filesystem. * Frees the given filesystem.

View File

@ -550,7 +550,8 @@ void* guac_rdp_client_thread(void* data) {
/* Allocate actual emulated filesystem */ /* Allocate actual emulated filesystem */
rdp_client->filesystem = rdp_client->filesystem =
guac_rdp_fs_alloc(client, settings->drive_path, guac_rdp_fs_alloc(client, settings->drive_path,
settings->create_drive_path); settings->create_drive_path, settings->disable_download,
settings->disable_upload);
/* Expose filesystem to owner */ /* Expose filesystem to owner */
guac_client_for_owner(client, guac_rdp_fs_expose, guac_client_for_owner(client, guac_rdp_fs_expose,
@ -619,7 +620,9 @@ void* guac_rdp_client_thread(void* data) {
/* Load and expose filesystem */ /* Load and expose filesystem */
rdp_client->sftp_filesystem = rdp_client->sftp_filesystem =
guac_common_ssh_create_sftp_filesystem(rdp_client->sftp_session, guac_common_ssh_create_sftp_filesystem(rdp_client->sftp_session,
settings->sftp_root_directory, NULL); settings->sftp_root_directory, NULL,
settings->sftp_disable_download,
settings->sftp_disable_upload);
/* Expose filesystem to connection owner */ /* Expose filesystem to connection owner */
guac_client_for_owner(client, guac_client_for_owner(client,

View File

@ -55,6 +55,8 @@ const char* GUAC_RDP_CLIENT_ARGS[] = {
"drive-name", "drive-name",
"drive-path", "drive-path",
"create-drive-path", "create-drive-path",
"disable-download",
"disable-upload",
"console", "console",
"console-audio", "console-audio",
"server-layout", "server-layout",
@ -91,6 +93,8 @@ const char* GUAC_RDP_CLIENT_ARGS[] = {
"sftp-directory", "sftp-directory",
"sftp-root-directory", "sftp-root-directory",
"sftp-server-alive-interval", "sftp-server-alive-interval",
"sftp-disable-download",
"sftp-disable-upload",
#endif #endif
"recording-path", "recording-path",
@ -215,6 +219,18 @@ enum RDP_ARGS_IDX {
*/ */
IDX_CREATE_DRIVE_PATH, IDX_CREATE_DRIVE_PATH,
/**
* "true" to disable the ability to download files from a remote server to
* the local client over RDP, "false" or blank otherwise.
*/
IDX_DISABLE_DOWNLOAD,
/**
* "true" to disable the ability to upload files from the local client to
* the remote server over RDP, "false" or blank otherwise.
*/
IDX_DISABLE_UPLOAD,
/** /**
* "true" if this session is a console session, "false" or blank otherwise. * "true" if this session is a console session, "false" or blank otherwise.
*/ */
@ -430,6 +446,20 @@ enum RDP_ARGS_IDX {
* cases. * cases.
*/ */
IDX_SFTP_SERVER_ALIVE_INTERVAL, IDX_SFTP_SERVER_ALIVE_INTERVAL,
/**
* "true" to disable file download from the SFTP server to the local client
* over the SFTP connection, if SFTP is configured and enabled. "false" or
* blank otherwise.
*/
IDX_SFTP_DISABLE_DOWNLOAD,
/**
* "true" to disable file upload from the SFTP server to the local client
* over the SFTP connection, if SFTP is configured and enabled. "false" or
* blank otherwise.
*/
IDX_SFTP_DISABLE_UPLOAD,
#endif #endif
/** /**
@ -839,14 +869,26 @@ guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv, guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_DRIVE_NAME, "Guacamole Filesystem"); IDX_DRIVE_NAME, "Guacamole Filesystem");
/* The path on the server to connect the drive. */
settings->drive_path = settings->drive_path =
guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv, guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_DRIVE_PATH, ""); IDX_DRIVE_PATH, "");
/* If the server path should be created if it doesn't already exist. */
settings->create_drive_path = settings->create_drive_path =
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv, guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_CREATE_DRIVE_PATH, 0); IDX_CREATE_DRIVE_PATH, 0);
/* If file downloads over RDP should be disabled. */
settings->disable_download =
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_DISABLE_DOWNLOAD, 0);
/* If file uploads over RDP should be disabled. */
settings->disable_upload =
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_DISABLE_UPLOAD, 0);
/* Pick keymap based on argument */ /* Pick keymap based on argument */
settings->server_layout = NULL; settings->server_layout = NULL;
if (argv[IDX_SERVER_LAYOUT][0] != '\0') if (argv[IDX_SERVER_LAYOUT][0] != '\0')
@ -918,6 +960,16 @@ guac_rdp_settings* guac_rdp_parse_args(guac_user* user,
settings->sftp_server_alive_interval = settings->sftp_server_alive_interval =
guac_user_parse_args_int(user, GUAC_RDP_CLIENT_ARGS, argv, guac_user_parse_args_int(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_SFTP_SERVER_ALIVE_INTERVAL, 0); IDX_SFTP_SERVER_ALIVE_INTERVAL, 0);
/* Whether or not to disable file download over SFTP. */
settings->sftp_disable_download =
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_SFTP_DISABLE_DOWNLOAD, 0);
/* Whether or not to disable file upload over SFTP. */
settings->sftp_disable_upload =
guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv,
IDX_SFTP_DISABLE_UPLOAD, 0);
#endif #endif
/* Read recording path */ /* Read recording path */

View File

@ -229,6 +229,16 @@ typedef struct guac_rdp_settings {
*/ */
int create_drive_path; int create_drive_path;
/**
* Whether or not to disable file download over RDP.
*/
int disable_download;
/**
* Wether or not to disable file upload over RDP.
*/
int disable_upload;
/** /**
* Whether this session is a console session. * Whether this session is a console session.
*/ */
@ -450,6 +460,16 @@ typedef struct guac_rdp_settings {
* cases. * cases.
*/ */
int sftp_server_alive_interval; int sftp_server_alive_interval;
/**
* Whether or not to disable file download over SFTP.
*/
int sftp_disable_download;
/**
* Whether or not to disable file upload over SFTP.
*/
int sftp_disable_upload;
#endif #endif
/** /**

View File

@ -131,16 +131,17 @@ int guac_rdp_user_file_handler(guac_user* user, guac_stream* stream,
#ifdef ENABLE_COMMON_SSH #ifdef ENABLE_COMMON_SSH
guac_rdp_settings* settings = rdp_client->settings; guac_rdp_settings* settings = rdp_client->settings;
/* If SFTP is enabled, it should be used for default uploads only if RDPDR /* If SFTP is enabled and SFTP uploads have not been disabled, it should be
* is not enabled or its upload directory has been set */ * used for default uploads only if RDPDR is not enabled or its upload
if (rdp_client->sftp_filesystem != NULL) { * directory has been set */
if (rdp_client->sftp_filesystem != NULL && !settings->sftp_disable_upload) {
if (!settings->drive_enabled || settings->sftp_directory != NULL) if (!settings->drive_enabled || settings->sftp_directory != NULL)
return guac_rdp_sftp_file_handler(user, stream, mimetype, filename); return guac_rdp_sftp_file_handler(user, stream, mimetype, filename);
} }
#endif #endif
/* Default to using RDPDR uploads (if enabled) */ /* Default to using RDPDR uploads (if enabled) */
if (rdp_client->filesystem != NULL) if (rdp_client->filesystem != NULL && !settings->disable_upload)
return guac_rdp_upload_file_handler(user, stream, mimetype, filename); return guac_rdp_upload_file_handler(user, stream, mimetype, filename);
/* File transfer not enabled */ /* File transfer not enabled */

View File

@ -39,6 +39,8 @@ const char* GUAC_SSH_CLIENT_ARGS[] = {
"font-size", "font-size",
"enable-sftp", "enable-sftp",
"sftp-root-directory", "sftp-root-directory",
"sftp-disable-download",
"sftp-disable-upload",
"private-key", "private-key",
"passphrase", "passphrase",
#ifdef ENABLE_SSH_AGENT #ifdef ENABLE_SSH_AGENT
@ -115,6 +117,18 @@ enum SSH_ARGS_IDX {
*/ */
IDX_SFTP_ROOT_DIRECTORY, IDX_SFTP_ROOT_DIRECTORY,
/**
* "true" if file downloads over SFTP should be blocked. "false" or blank
* if file downloads should be allowed.
*/
IDX_SFTP_DISABLE_DOWNLOAD,
/**
* "true" if file uploads over SFTP should be blocked. "false" or blank if
* file uploads should be allowed.
*/
IDX_SFTP_DISABLE_UPLOAD,
/** /**
* The private key to use for authentication, if any. * The private key to use for authentication, if any.
*/ */
@ -351,6 +365,16 @@ guac_ssh_settings* guac_ssh_parse_args(guac_user* user,
guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv, guac_user_parse_args_string(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SFTP_ROOT_DIRECTORY, "/"); IDX_SFTP_ROOT_DIRECTORY, "/");
/* Disable file downloads. */
settings->sftp_disable_download =
guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SFTP_DISABLE_DOWNLOAD, false);
/* Disable file uploads. */
settings->sftp_disable_upload =
guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,
IDX_SFTP_DISABLE_UPLOAD, false);
#ifdef ENABLE_SSH_AGENT #ifdef ENABLE_SSH_AGENT
settings->enable_agent = settings->enable_agent =
guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv, guac_user_parse_args_boolean(user, GUAC_SSH_CLIENT_ARGS, argv,

View File

@ -180,6 +180,20 @@ typedef struct guac_ssh_settings {
*/ */
char* sftp_root_directory; char* sftp_root_directory;
/**
* Whether file download over SFTP should be disabled. If set to true, file
* downloads will not be allowed over SFTP. If not set or set to false, file
* downloads will be allowed.
*/
bool sftp_disable_download;
/**
* Whether file uploads over SFTP should be disabled. If set to true, file
* uploads will not be allowed over SFTP. If not set or set to false, file
* uploads will be allowed.
*/
bool sftp_disable_upload;
#ifdef ENABLE_SSH_AGENT #ifdef ENABLE_SSH_AGENT
/** /**
* Whether the SSH agent is enabled. * Whether the SSH agent is enabled.

View File

@ -320,7 +320,8 @@ void* ssh_client_thread(void* data) {
/* Request SFTP */ /* Request SFTP */
ssh_client->sftp_filesystem = guac_common_ssh_create_sftp_filesystem( ssh_client->sftp_filesystem = guac_common_ssh_create_sftp_filesystem(
ssh_client->sftp_session, settings->sftp_root_directory, ssh_client->sftp_session, settings->sftp_root_directory,
NULL); NULL, settings->sftp_disable_download,
settings->sftp_disable_upload);
/* Expose filesystem to connection owner */ /* Expose filesystem to connection owner */
guac_client_for_owner(client, guac_client_for_owner(client,
@ -328,7 +329,10 @@ void* ssh_client_thread(void* data) {
ssh_client->sftp_filesystem); ssh_client->sftp_filesystem);
/* Init handlers for Guacamole-specific console codes */ /* Init handlers for Guacamole-specific console codes */
if (!settings->sftp_disable_upload)
ssh_client->term->upload_path_handler = guac_sftp_set_upload_path; ssh_client->term->upload_path_handler = guac_sftp_set_upload_path;
if (!settings->sftp_disable_download)
ssh_client->term->file_download_handler = guac_sftp_download_file; ssh_client->term->file_download_handler = guac_sftp_download_file;
guac_client_log(client, GUAC_LOG_DEBUG, "SFTP session initialized"); guac_client_log(client, GUAC_LOG_DEBUG, "SFTP session initialized");

View File

@ -99,7 +99,7 @@ int guac_ssh_user_join_handler(guac_user* user, int argc, char** argv) {
user->size_handler = guac_ssh_user_size_handler; user->size_handler = guac_ssh_user_size_handler;
/* Set generic (non-filesystem) file upload handler */ /* Set generic (non-filesystem) file upload handler */
if (settings->enable_sftp) if (settings->enable_sftp && !settings->sftp_disable_upload)
user->file_handler = guac_sftp_file_handler; user->file_handler = guac_sftp_file_handler;
} }

View File

@ -70,6 +70,8 @@ const char* GUAC_VNC_CLIENT_ARGS[] = {
"sftp-directory", "sftp-directory",
"sftp-root-directory", "sftp-root-directory",
"sftp-server-alive-interval", "sftp-server-alive-interval",
"sftp-disable-download",
"sftp-disable-upload",
#endif #endif
"recording-path", "recording-path",
@ -259,6 +261,18 @@ enum VNC_ARGS_IDX {
* cases. * cases.
*/ */
IDX_SFTP_SERVER_ALIVE_INTERVAL, IDX_SFTP_SERVER_ALIVE_INTERVAL,
/**
* If set to "true", file downloads over SFTP will be blocked. If set to
* "false" or not set, file downloads will be allowed.
*/
IDX_SFTP_DISABLE_DOWNLOAD,
/**
* If set to "true", file uploads over SFTP will be blocked. If set to
* "false" or not set, file uploads will be allowed.
*/
IDX_SFTP_DISABLE_UPLOAD,
#endif #endif
/** /**
@ -486,6 +500,14 @@ guac_vnc_settings* guac_vnc_parse_args(guac_user* user,
settings->sftp_server_alive_interval = settings->sftp_server_alive_interval =
guac_user_parse_args_int(user, GUAC_VNC_CLIENT_ARGS, argv, guac_user_parse_args_int(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_SFTP_SERVER_ALIVE_INTERVAL, 0); IDX_SFTP_SERVER_ALIVE_INTERVAL, 0);
settings->sftp_disable_download =
guac_user_parse_args_boolean(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_SFTP_DISABLE_DOWNLOAD, false);
settings->sftp_disable_upload =
guac_user_parse_args_boolean(user, GUAC_VNC_CLIENT_ARGS, argv,
IDX_SFTP_DISABLE_UPLOAD, false);
#endif #endif
/* Read recording path */ /* Read recording path */

View File

@ -211,6 +211,20 @@ typedef struct guac_vnc_settings {
* cases. * cases.
*/ */
int sftp_server_alive_interval; int sftp_server_alive_interval;
/**
* Whether file downloads over SFTP should be blocked. If set to "true",
* the local client will not be able to download files from the SFTP server.
* If set to "false" or not set, file downloads will be allowed.
*/
bool sftp_disable_download;
/**
* Whether file uploads over SFTP should be blocked. If set to "true", the
* local client will not be able to upload files to the SFTP server. If set
* to "false" or not set, file uploads will be allowed.
*/
bool sftp_disable_upload;
#endif #endif
/** /**

View File

@ -101,7 +101,7 @@ int guac_vnc_user_join_handler(guac_user* user, int argc, char** argv) {
#ifdef ENABLE_COMMON_SSH #ifdef ENABLE_COMMON_SSH
/* Set generic (non-filesystem) file upload handler */ /* Set generic (non-filesystem) file upload handler */
if (settings->enable_sftp) if (settings->enable_sftp && !settings->sftp_disable_upload)
user->file_handler = guac_vnc_sftp_file_handler; user->file_handler = guac_vnc_sftp_file_handler;
#endif #endif

View File

@ -342,7 +342,9 @@ void* guac_vnc_client_thread(void* data) {
/* Load filesystem */ /* Load filesystem */
vnc_client->sftp_filesystem = vnc_client->sftp_filesystem =
guac_common_ssh_create_sftp_filesystem(vnc_client->sftp_session, guac_common_ssh_create_sftp_filesystem(vnc_client->sftp_session,
settings->sftp_root_directory, NULL); settings->sftp_root_directory, NULL,
settings->sftp_disable_download,
settings->sftp_disable_upload);
/* Expose filesystem to connection owner */ /* Expose filesystem to connection owner */
guac_client_for_owner(client, guac_client_for_owner(client,