From f4ff5f337ced0ecbc5e108bcfb08ed0fcd1ed6b8 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Thu, 25 Jun 2020 14:29:26 -0700
Subject: [PATCH] GUACAMOLE-474: Enforce upload disable option at low level,
 warning if not blocked at higher level as expected.

---
 src/common-ssh/sftp.c      | 24 ++++++++++++++++++++++++
 src/protocols/rdp/upload.c | 24 ++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/src/common-ssh/sftp.c b/src/common-ssh/sftp.c
index eba7a7f7..0100cc16 100644
--- a/src/common-ssh/sftp.c
+++ b/src/common-ssh/sftp.c
@@ -376,6 +376,18 @@ int guac_common_ssh_sftp_handle_file_stream(
     char fullpath[GUAC_COMMON_SSH_SFTP_MAX_PATH];
     LIBSSH2_SFTP_HANDLE* file;
 
+    /* Ignore upload if uploads have been disabled */
+    if (filesystem->disable_upload) {
+        guac_user_log(user, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "SFTP: Upload disabled",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
     /* Concatenate filename with path */
     if (!guac_ssh_append_filename(fullpath, filesystem->upload_path,
                 filename)) {
@@ -859,6 +871,18 @@ static int guac_common_ssh_sftp_put_handler(guac_user* user,
     guac_common_ssh_sftp_filesystem* filesystem =
         (guac_common_ssh_sftp_filesystem*) object->data;
 
+    /* Ignore upload if uploads have been disabled */
+    if (filesystem->disable_upload) {
+        guac_user_log(user, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "SFTP: Upload disabled",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
     LIBSSH2_SFTP* sftp = filesystem->sftp_session;
 
     /* Translate stream name into filesystem path */
diff --git a/src/protocols/rdp/upload.c b/src/protocols/rdp/upload.c
index 5317edbc..2b08b2f7 100644
--- a/src/protocols/rdp/upload.c
+++ b/src/protocols/rdp/upload.c
@@ -87,6 +87,18 @@ int guac_rdp_upload_file_handler(guac_user* user, guac_stream* stream,
         return 0;
     }
 
+    /* Ignore upload if uploads have been disabled */
+    if (fs->disable_upload) {
+        guac_client_log(client, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "FAIL (UPLOAD DISABLED)",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
     /* Translate name */
     __generate_upload_path(filename, file_path);
 
@@ -205,6 +217,18 @@ int guac_rdp_upload_put_handler(guac_user* user, guac_object* object,
         return 0;
     }
 
+    /* Ignore upload if uploads have been disabled */
+    if (fs->disable_upload) {
+        guac_client_log(client, GUAC_LOG_WARNING, "A upload attempt has "
+                "been blocked due to uploads being disabled, however it "
+                "should have been blocked at a higher level. This is likely "
+                "a bug.");
+        guac_protocol_send_ack(user->socket, stream, "FAIL (UPLOAD DISABLED)",
+                GUAC_PROTOCOL_STATUS_CLIENT_FORBIDDEN);
+        guac_socket_flush(user->socket);
+        return 0;
+    }
+
     /* Open file */
     int file_id = guac_rdp_fs_open(fs, name, GENERIC_WRITE, 0,
             FILE_OVERWRITE_IF, 0);