reapply outboud-resitrcted clipboard

This commit is contained in:
Krzysztof Adamski 2018-11-19 13:04:43 +01:00 committed by Jaroslaw Osmanski
parent 0d8a49ab13
commit 751cd97018
6 changed files with 52 additions and 2 deletions

View File

@ -196,6 +196,12 @@ login for all users is enabled.
\fIThis option is currently ignored!\fR Only members of this group can
have session management rights.
.TP
\fBRestrictOutboundClipboard\fR=\fI[true|false]\fR
If set to \fB1\fR, \fBtrue\fR or \fByes\fR, will restrict the clipboard
outbound from the server, to prevent data copied inside the xrdp session
to be be pasted in the client host. Default value is \fBfalse\fR.
.TP
\fBAlwaysGroupCheck\fR=\fI[true|false]\fR
If set to \fB1\fR, \fBtrue\fR or \fByes\fR, require group membership even

View File

@ -9,7 +9,9 @@ AM_CPPFLAGS = \
-DXRDP_SHARE_PATH=\"${datadir}/xrdp\" \
-DXRDP_PID_PATH=\"${localstatedir}/run\" \
-DXRDP_SOCKET_PATH=\"${socketdir}\" \
-I$(top_srcdir)/common
-I$(top_srcdir)/common \
-I$(top_srcdir)/sesman \
-I$(top_srcdir)/sesman/libscp
if XRDP_DEBUG
AM_CPPFLAGS += -DXRDP_DEBUG
@ -54,6 +56,7 @@ xrdp_chansrv_SOURCES = \
clipboard_common.h \
clipboard_file.c \
clipboard_file.h \
config.c \
devredir.c \
devredir.h \
fifo.c \

View File

@ -170,6 +170,7 @@ x-special/gnome-copied-files
#include "parse.h"
#include "os_calls.h"
#include "chansrv.h"
#include "../config.h"
#include "clipboard.h"
#include "clipboard_file.h"
#include "clipboard_common.h"
@ -229,12 +230,16 @@ static char g_bmp_image_header[] =
extern int g_cliprdr_chan_id; /* in chansrv.c */
struct config_sesman g_cfg /* config.h */
extern Display *g_display; /* in xcommon.c */
extern int g_x_socket; /* in xcommon.c */
extern tbus g_x_wait_obj; /* in xcommon.c */
extern Screen *g_screen; /* in xcommon.c */
extern int g_screen_num; /* in xcommon.c */
int g_outbound_clipboard_restricted = 0;
int g_clip_up = 0;
static Atom g_clipboard_atom = 0; /* CLIPBOARD */
@ -376,6 +381,17 @@ clipboard_init(void)
return 0;
}
if (0 != config_read(&g_cfg))
{
g_printf("clipboard: error reading config. quitting.\n");
return 1;
}
log_debug("clipboard_init: outbound clipboard restricted -> " + g_cfg.sec.restrict_oubound_clipboard)
//one-way clipboard
g_outbound_clipboard_restricted = g_cfg.sec.restrict_oubound_clipboard;
xfuse_init();
xcommon_init();
g_incr_max_req_size = XMaxRequestSize(g_display) * 4 - 24;
@ -2485,6 +2501,8 @@ clipboard_xevent(void *xevent)
{
XEvent *lxevent;
log_debug("clipboard_xevent: event detected");
if (!g_clip_up)
{
return 1;
@ -2495,7 +2513,13 @@ clipboard_xevent(void *xevent)
switch (lxevent->type)
{
case SelectionNotify:
if (g_outbound_clipboard_restricted == 0) {
log_debug("clipboard_xevent: clipboard SelectionNotify event on xorg.")
clipboard_event_selection_notify(lxevent);
} else {
log_debug("clipboard_xevent: clipboard restricted, ignoring xorg event.")
return 1;
}
break;
case SelectionRequest:
clipboard_event_selection_request(lxevent);

View File

@ -235,6 +235,7 @@ config_read_security(int file, struct config_security *sc,
sc->login_retry = 3;
sc->ts_users_enable = 0;
sc->ts_admins_enable = 0;
sc->restrict_oubound_clipboard = 0;
file_read_section(file, SESMAN_CFG_SECURITY, param_n, param_v);
@ -273,6 +274,13 @@ config_read_security(int file, struct config_security *sc,
{
sc->ts_always_group_check = g_text2bool((char *)list_get_item(param_v, i));
}
if (0 == g_strcasecmp(buf, SESMAN_CFG_RESTRICT_CLIPBOARD))
{
sc->restrict_oubound_clipboard = g_text2bool((char *)list_get_item(param_v, i));
}
}
return 0;
@ -497,6 +505,7 @@ config_dump(struct config_sesman *config)
g_writeln(" AllowRootLogin: %d", sc->allow_root);
g_writeln(" MaxLoginRetry: %d", sc->login_retry);
g_writeln(" AlwaysGroupCheck: %d", sc->ts_always_group_check);
g_printf("\tRestrictOutboundClipboard: %i\r\n", sc->restrict_oubound_clipboard);
g_printf( " TSUsersGroup: ");
if (sc->ts_users_enable)

View File

@ -126,6 +126,11 @@ struct config_security
* @brief if the Groups are not found deny access
*/
int ts_always_group_check;
/**
* @var restrict_oubound_clipboard
* @brief if the clipboard should be enforced restricted. If true only allow client -> server, not vice versa.
*/
int restrict_oubound_clipboard;
};
/**

View File

@ -19,6 +19,9 @@ TerminalServerAdmins=tsadmins
; When AlwaysGroupCheck=false access will be permitted
; if the group TerminalServerUsers is not defined.
AlwaysGroupCheck=false
; When RestrictOutboundClipboard=true clipboard from the
; server is not pushed to the client.
RestrictOutboundClipboard=false
[Sessions]
;; X11DisplayOffset - x11 display number offset