GUACAMOLE-474: Enforce upload disable option at low level, warning if not blocked at higher level as expected.

2020-06-25 14:29:26 -07:00 · 2020-06-25 14:29:26 -07:00 · f4ff5f337c
commit f4ff5f337c
parent d8c32b1e82
2 changed files with 48 additions and 0 deletions
--- a/src/common-ssh/sftp.c
+++ b/src/common-ssh/sftp.c
@ -376,6 +376,18 @@ int guac_common_ssh_sftp_handle_file_stream(
    char fullpath[GUAC_COMMON_SSH_SFTP_MAX_PATH];
    LIBSSH2_SFTP_HANDLE* file;

+    /* Ignore upload if uploads have been disabled */
+    if (filesystem->disable_upload) {
+        guac_user_log(user, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "SFTP: Upload disabled",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
    /* Concatenate filename with path */
    if (!guac_ssh_append_filename(fullpath, filesystem->upload_path,
                filename)) {
@ -859,6 +871,18 @@ static int guac_common_ssh_sftp_put_handler(guac_user* user,
    guac_common_ssh_sftp_filesystem* filesystem =
        (guac_common_ssh_sftp_filesystem*) object->data;

+    /* Ignore upload if uploads have been disabled */
+    if (filesystem->disable_upload) {
+        guac_user_log(user, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "SFTP: Upload disabled",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
    LIBSSH2_SFTP* sftp = filesystem->sftp_session;

    /* Translate stream name into filesystem path */
--- a/src/protocols/rdp/upload.c
+++ b/src/protocols/rdp/upload.c
@ -87,6 +87,18 @@ int guac_rdp_upload_file_handler(guac_user* user, guac_stream* stream,
        return 0;
    }

+    /* Ignore upload if uploads have been disabled */
+    if (fs->disable_upload) {
+        guac_client_log(client, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "FAIL (UPLOAD DISABLED)",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
    /* Translate name */
    __generate_upload_path(filename, file_path);

@ -205,6 +217,18 @@ int guac_rdp_upload_put_handler(guac_user* user, guac_object* object,
        return 0;
    }

+    /* Ignore upload if uploads have been disabled */
+    if (fs->disable_upload) {
+        guac_client_log(client, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "FAIL (UPLOAD DISABLED)",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
    /* Open file */
    int file_id = guac_rdp_fs_open(fs, name, GENERIC_WRITE, 0,
            FILE_OVERWRITE_IF, 0);