guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukáš Raška <lukasra...@gmail.com>
Subject Re: Unable to specify upload directory in file stream
Date Thu, 13 Jun 2019 14:06:36 GMT
Hi,

st 12. 6. 2019 v 19:51 odesílatel Mike Jumper <mjumper@apache.org> napsal:

> On Wed, Jun 12, 2019, 09:17 Lukáš Raška <lukas@raska.me> wrote:
>
>> Hello,
>> so after digging through guacd source, I found out it can be controller
>> via 482201 console code,
>>
>
> Or via the guacctl utility provided to send those codes:
>
> https://github.com/apache/guacamole-server/blob/master/bin/guacctl
>
>
Yup, I noticed that and tested the functionality with guacctl so I don't
have to type those codes myself.



> but it seems it's not configurable via protocol API and seems to affect
>> sftp file transport (couldn't see it in guac_rdp_upload_file_handler,
>> but haven't tested on Windows yet).
>>
>> Are there any plans to unify this behaviour (maybe allow setting the
>> directory with custom protocol and use it for other transports as well)?
>>
>
> The Guacamole protocol does allow for uploading to specific directories
> leveraging the filesystem object. You can see this done in practice in the
> file browser within the Guacamole menu.
>
> Quick fix for my usecase is to ignore filesystem->upload_path in
>> guac_common_ssh_sftp_handle_file_stream, but that does make it dependent on
>> this non-upstream change.
>>
>
> If you are stripping away the code that ensures paths are not included in
> the uploaded filename, you may well be introducing a security vulnerability
> that will allow users to write files anywhere on disk. Upload location is
> intentionally tightly controlled.
>
>
Yeah, that was why I wanted to avoid this in first place. It could be very
easy to introduce some security issue with seemingly irrelevant changes.



> Or is there any other option how to set the upload_path variable which I'm
>> missing?
>>
>
> It's done through the filesystem object and "put" streams:
>
>
> http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Client.html#event:onfilesystem
>
> http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Object.html
>
> (See createOutputStream() in particular)
>
> Underlying, low-level protocol:
>
>
> http://guacamole.apache.org/doc/gug/protocol-reference.html#filesystem-object-instruction
>
>
> http://guacamole.apache.org/doc/gug/protocol-reference.html#put-object-instruction
>
> The nature of object stream names is described for "get":
>
>
> http://guacamole.apache.org/doc/gug/protocol-reference.html#get-object-instruction
>
>
Thanks a lot, that works like a charm. createOutputStream() handles the
stream creation, so our backend can now send chunks with blob instruction.



> - Mike
>
>

-- 
Best Regards

Lukáš Raška

Mime
View raw message