Hi, st 12. 6. 2019 v 19:51 odesílatel Mike Jumper <[email protected]> napsal:
> On Wed, Jun 12, 2019, 09:17 Lukáš Raška <[email protected]> wrote: > >> Hello, >> so after digging through guacd source, I found out it can be controller >> via 482201 console code, >> > > Or via the guacctl utility provided to send those codes: > > https://github.com/apache/guacamole-server/blob/master/bin/guacctl > > Yup, I noticed that and tested the functionality with guacctl so I don't have to type those codes myself. > but it seems it's not configurable via protocol API and seems to affect >> sftp file transport (couldn't see it in guac_rdp_upload_file_handler, >> but haven't tested on Windows yet). >> >> Are there any plans to unify this behaviour (maybe allow setting the >> directory with custom protocol and use it for other transports as well)? >> > > The Guacamole protocol does allow for uploading to specific directories > leveraging the filesystem object. You can see this done in practice in the > file browser within the Guacamole menu. > > Quick fix for my usecase is to ignore filesystem->upload_path in >> guac_common_ssh_sftp_handle_file_stream, but that does make it dependent on >> this non-upstream change. >> > > If you are stripping away the code that ensures paths are not included in > the uploaded filename, you may well be introducing a security vulnerability > that will allow users to write files anywhere on disk. Upload location is > intentionally tightly controlled. > > Yeah, that was why I wanted to avoid this in first place. It could be very easy to introduce some security issue with seemingly irrelevant changes. > Or is there any other option how to set the upload_path variable which I'm >> missing? >> > > It's done through the filesystem object and "put" streams: > > > http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Client.html#event:onfilesystem > > http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Object.html > > (See createOutputStream() in particular) > > Underlying, low-level protocol: > > > http://guacamole.apache.org/doc/gug/protocol-reference.html#filesystem-object-instruction > > > http://guacamole.apache.org/doc/gug/protocol-reference.html#put-object-instruction > > The nature of object stream names is described for "get": > > > http://guacamole.apache.org/doc/gug/protocol-reference.html#get-object-instruction > > Thanks a lot, that works like a charm. createOutputStream() handles the stream creation, so our backend can now send chunks with blob instruction. > - Mike > > -- Best Regards Lukáš Raška
