From f049690465b09ac950cbafd5b065bafd968f034b Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 4 Feb 2017 07:57:36 +0000
Subject: [PATCH] Pass -restrict-acl, if given, through to sub-PuTTYs.

This change applies to every situation when GUI PuTTY knowingly spawns
another GUI PuTTY, to wit, the System menu options 'New Session',
'Duplicate Session' and the 'Saved Sessions' submenu.

(Literally speaking, what we actually pass through to the sub-PuTTY's
command line is not the "-restrict-acl" option itself, but a special
prefix "&R", which has the same meaning but which lives in the special
pre-argv-splitting command-line namespace like the magic options used
for Duplicate Session and the old '@sessionname' prefix which the
Saved Sessions submenu still uses. Otherwise, by the time we split up
argv and recognised -restrict-acl, it would be too late to parse those
other options.)

One case in which PuTTY spawns a subprocess and this change _doesn't_
apply is when the subprocess is a proxy command which happens to be a
Plink. Recognising Plink commands in that situation would be fragile
and unreliable, and in any case if the user wants a proxy Plink to be
ACL-restricted, they are in control of its exact command line so they
can add -restrict-acl themselves.
---
 cmdline.c          |  1 +
 windows/window.c   | 42 ++++++++++++++++++++++++++++++------------
 windows/winstuff.h |  1 +
 3 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/cmdline.c b/cmdline.c
index 73ede342..f288ed62 100644
--- a/cmdline.c
+++ b/cmdline.c
@@ -617,6 +617,7 @@ int cmdline_process_param(const char *p, char *value,
         !strcmp(p, "-restrictacl")) {
 	RETURN(1);
         restrict_process_acl();
+        restricted_acl = TRUE;
     }
 #endif
 
diff --git a/windows/window.c b/windows/window.c
index 4ce9b7b2..69a31593 100644
--- a/windows/window.c
+++ b/windows/window.c
@@ -432,11 +432,20 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
 	 * Process a couple of command-line options which are more
 	 * easily dealt with before the line is broken up into words.
 	 * These are the old-fashioned but convenient @sessionname and
-	 * the internal-use-only &sharedmemoryhandle, neither of which
-	 * are combined with anything else.
+	 * the internal-use-only &sharedmemoryhandle, plus the &R
+	 * prefix for -restrict-acl, all of which are used by PuTTYs
+	 * auto-launching each other via System-menu options.
 	 */
 	while (*p && isspace(*p))
 	    p++;
+        if (*p == '&' && p[1] == 'R' &&
+            (!p[2] || p[2] == '@' || p[2] == '&')) {
+            /* &R restrict-acl prefix */
+            restrict_process_acl();
+            restricted_acl = TRUE;
+            p += 2;
+        }
+
 	if (*p == '@') {
             /*
              * An initial @ means that the whole of the rest of the
@@ -474,7 +483,11 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
 		cleanup_exit(0);
 	    }
 	    allow_launch = TRUE;
-	} else {
+	} else if (!*p) {
+            /* Do-nothing case for an empty command line - or rather,
+             * for a command line that's empty _after_ we strip off
+             * the &R prefix. */
+        } else {
 	    /*
 	     * Otherwise, break up the command line and deal with
 	     * it sensibly.
@@ -2148,13 +2161,18 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
 	  case IDM_SAVEDSESS:
 	    {
 		char b[2048];
-		char c[30], *cl;
-		int freecl = FALSE;
+		char *cl;
+                const char *argprefix;
 		BOOL inherit_handles;
 		STARTUPINFO si;
 		PROCESS_INFORMATION pi;
 		HANDLE filemap = NULL;
 
+                if (restricted_acl)
+                    argprefix = "&R";
+                else
+                    argprefix = "";
+
 		if (wParam == IDM_DUPSESS) {
 		    /*
 		     * Allocate a file-mapping memory chunk for the
@@ -2181,20 +2199,21 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
 			}
 		    }
 		    inherit_handles = TRUE;
-		    sprintf(c, "putty &%p:%u", filemap, (unsigned)size);
-		    cl = c;
+		    cl = dupprintf("putty %s&%p:%u", argprefix,
+                                   filemap, (unsigned)size);
 		} else if (wParam == IDM_SAVEDSESS) {
 		    unsigned int sessno = ((lParam - IDM_SAVED_MIN)
 					   / MENU_SAVED_STEP) + 1;
 		    if (sessno < (unsigned)sesslist.nsessions) {
 			const char *session = sesslist.sessions[sessno];
-			cl = dupprintf("putty @%s", session);
+			cl = dupprintf("putty %s@%s", argprefix, session);
 			inherit_handles = FALSE;
-			freecl = TRUE;
 		    } else
 			break;
 		} else /* IDM_NEWSESS */ {
-		    cl = NULL;
+                    cl = dupprintf("putty%s%s",
+                                   *argprefix ? " " : "",
+                                   argprefix);
 		    inherit_handles = FALSE;
 		}
 
@@ -2213,8 +2232,7 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
 
 		if (filemap)
 		    CloseHandle(filemap);
-		if (freecl)
-		    sfree(cl);
+                sfree(cl);
 	    }
 	    break;
 	  case IDM_RESTART:
diff --git a/windows/winstuff.h b/windows/winstuff.h
index a120a735..c941e3c3 100644
--- a/windows/winstuff.h
+++ b/windows/winstuff.h
@@ -485,6 +485,7 @@ BOOL init_winver(void);
 HMODULE load_system32_dll(const char *libname);
 const char *win_strerror(int error);
 void restrict_process_acl(void);
+GLOBAL int restricted_acl;
 
 /*
  * Exports from sizetip.c.
-- 
2.45.1