guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Unable to specify upload directory in file stream
Date Wed, 12 Jun 2019 17:51:36 GMT
On Wed, Jun 12, 2019, 09:17 Lukáš Raška <> wrote:

> Hello,
> so after digging through guacd source, I found out it can be controller
> via 482201 console code,

Or via the guacctl utility provided to send those codes:

but it seems it's not configurable via protocol API and seems to affect
> sftp file transport (couldn't see it in guac_rdp_upload_file_handler, but
> haven't tested on Windows yet).
> Are there any plans to unify this behaviour (maybe allow setting the
> directory with custom protocol and use it for other transports as well)?

The Guacamole protocol does allow for uploading to specific directories
leveraging the filesystem object. You can see this done in practice in the
file browser within the Guacamole menu.

Quick fix for my usecase is to ignore filesystem->upload_path in
> guac_common_ssh_sftp_handle_file_stream, but that does make it dependent on
> this non-upstream change.

If you are stripping away the code that ensures paths are not included in
the uploaded filename, you may well be introducing a security vulnerability
that will allow users to write files anywhere on disk. Upload location is
intentionally tightly controlled.

Or is there any other option how to set the upload_path variable which I'm
> missing?

It's done through the filesystem object and "put" streams:

(See createOutputStream() in particular)

Underlying, low-level protocol:

The nature of object stream names is described for "get":

- Mike

View raw message