On Wed, Jun 12, 2019, 09:17 Lukáš Raška <[email protected]> wrote: > Hello, > so after digging through guacd source, I found out it can be controller > via 482201 console code, >
Or via the guacctl utility provided to send those codes: https://github.com/apache/guacamole-server/blob/master/bin/guacctl but it seems it's not configurable via protocol API and seems to affect > sftp file transport (couldn't see it in guac_rdp_upload_file_handler, but > haven't tested on Windows yet). > > Are there any plans to unify this behaviour (maybe allow setting the > directory with custom protocol and use it for other transports as well)? > The Guacamole protocol does allow for uploading to specific directories leveraging the filesystem object. You can see this done in practice in the file browser within the Guacamole menu. Quick fix for my usecase is to ignore filesystem->upload_path in > guac_common_ssh_sftp_handle_file_stream, but that does make it dependent on > this non-upstream change. > If you are stripping away the code that ensures paths are not included in the uploaded filename, you may well be introducing a security vulnerability that will allow users to write files anywhere on disk. Upload location is intentionally tightly controlled. Or is there any other option how to set the upload_path variable which I'm > missing? > It's done through the filesystem object and "put" streams: http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Client.html#event:onfilesystem http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Object.html (See createOutputStream() in particular) Underlying, low-level protocol: http://guacamole.apache.org/doc/gug/protocol-reference.html#filesystem-object-instruction http://guacamole.apache.org/doc/gug/protocol-reference.html#put-object-instruction The nature of object stream names is described for "get": http://guacamole.apache.org/doc/gug/protocol-reference.html#get-object-instruction - Mike
