Pass -restrict-acl, if given, through to sub-PuTTYs.

This change applies to every situation when GUI PuTTY knowingly spawns
another GUI PuTTY, to wit, the System menu options 'New Session',
'Duplicate Session' and the 'Saved Sessions' submenu.

(Literally speaking, what we actually pass through to the sub-PuTTY's
command line is not the "-restrict-acl" option itself, but a special
prefix "&R", which has the same meaning but which lives in the special
pre-argv-splitting command-line namespace like the magic options used
for Duplicate Session and the old '@sessionname' prefix which the
Saved Sessions submenu still uses. Otherwise, by the time we split up
argv and recognised -restrict-acl, it would be too late to parse those
other options.)

One case in which PuTTY spawns a subprocess and this change _doesn't_
apply is when the subprocess is a proxy command which happens to be a
Plink. Recognising Plink commands in that situation would be fragile
and unreliable, and in any case if the user wants a proxy Plink to be
ACL-restricted, they are in control of its exact command line so they
can add -restrict-acl themselves.

diff --git a/cmdline.c b/cmdline.c
index 73ede3425dcf26ad26c3d1b24419a99d600c4469..f288ed629ee837272998ec554cb45e3bbfbc3552 100644 (file)
--- a/cmdline.c
+++ b/cmdline.c
@@ -617,6 +617,7 @@ int cmdline_process_param(const char *p, char *value,
         !strcmp(p, "-restrictacl")) {
        RETURN(1);
         restrict_process_acl();
+        restricted_acl = TRUE;
     }
 #endif
 

diff --git a/windows/window.c b/windows/window.c
index 4ce9b7b2f028d407f81cc562abd5b5274830fb59..69a31593b381992f11153703a85c9dab817b6939 100644 (file)
--- a/windows/window.c
+++ b/windows/window.c
@@ -432,11 +432,20 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
         * Process a couple of command-line options which are more
         * easily dealt with before the line is broken up into words.
         * These are the old-fashioned but convenient @sessionname and
-        * the internal-use-only &sharedmemoryhandle, neither of which
-        * are combined with anything else.
+        * the internal-use-only &sharedmemoryhandle, plus the &R
+        * prefix for -restrict-acl, all of which are used by PuTTYs
+        * auto-launching each other via System-menu options.
         */
        while (*p && isspace(*p))
            p++;
+        if (*p == '&' && p[1] == 'R' &&
+            (!p[2] || p[2] == '@' || p[2] == '&')) {
+            /* &R restrict-acl prefix */
+            restrict_process_acl();
+            restricted_acl = TRUE;
+            p += 2;
+        }
+
        if (*p == '@') {
             /*
              * An initial @ means that the whole of the rest of the
@@ -474,7 +483,11 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
                cleanup_exit(0);
            }
            allow_launch = TRUE;
-       } else {
+       } else if (!*p) {
+            /* Do-nothing case for an empty command line - or rather,
+             * for a command line that's empty _after_ we strip off
+             * the &R prefix. */
+        } else {
            /*
             * Otherwise, break up the command line and deal with
             * it sensibly.
@@ -2148,13 +2161,18 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
          case IDM_SAVEDSESS:
            {
                char b[2048];
-               char c[30], *cl;
-               int freecl = FALSE;
+               char *cl;
+                const char *argprefix;
                BOOL inherit_handles;
                STARTUPINFO si;
                PROCESS_INFORMATION pi;
                HANDLE filemap = NULL;
 
+                if (restricted_acl)
+                    argprefix = "&R";
+                else
+                    argprefix = "";
+
                if (wParam == IDM_DUPSESS) {
                    /*
                     * Allocate a file-mapping memory chunk for the
@@ -2181,20 +2199,21 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
                        }
                    }
                    inherit_handles = TRUE;
-                   sprintf(c, "putty &%p:%u", filemap, (unsigned)size);
-                   cl = c;
+                   cl = dupprintf("putty %s&%p:%u", argprefix,
+                                   filemap, (unsigned)size);
                } else if (wParam == IDM_SAVEDSESS) {
                    unsigned int sessno = ((lParam - IDM_SAVED_MIN)
                                           / MENU_SAVED_STEP) + 1;
                    if (sessno < (unsigned)sesslist.nsessions) {
                        const char *session = sesslist.sessions[sessno];
-                       cl = dupprintf("putty @%s", session);
+                       cl = dupprintf("putty %s@%s", argprefix, session);
                        inherit_handles = FALSE;
-                       freecl = TRUE;
                    } else
                        break;
                } else /* IDM_NEWSESS */ {
-                   cl = NULL;
+                    cl = dupprintf("putty%s%s",
+                                   *argprefix ? " " : "",
+                                   argprefix);
                    inherit_handles = FALSE;
                }
 
@@ -2213,8 +2232,7 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
 
                if (filemap)
                    CloseHandle(filemap);
-               if (freecl)
-                   sfree(cl);
+                sfree(cl);
            }
            break;
          case IDM_RESTART:

diff --git a/windows/winstuff.h b/windows/winstuff.h
index a120a735b1cc779ce75022095a707e2fdaca1523..c941e3c3cd252f05a4d5736e5e5ddc86f49e7bf0 100644 (file)
--- a/windows/winstuff.h
+++ b/windows/winstuff.h
@@ -485,6 +485,7 @@ BOOL init_winver(void);
 HMODULE load_system32_dll(const char *libname);
 const char *win_strerror(int error);
 void restrict_process_acl(void);
+GLOBAL int restricted_acl;
 
 /*
  * Exports from sizetip.c.