flush stdout after writing "sftp>" prompt when not using editline.

From Alpine Linux via GHPR480

whitespace

rename remote_glob() -> sftp_glob() to match other API

the sftp code was one of my first contributions to OpenSSH and it
shows - the function names are terrible.

Rename do_blah() to sftp_blah() to make them less so.

Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.

fix double words
ok dtucker@

don't care about glob() return value here.

Explictly ignore return codes where we don't check them. From Dmitry
Belyavskiy via github PR#238, ok djm@

Plug another potential mem leak in process_put. It allocates abs_dst
inside a loop but only frees it on exit, so free inside the loop if
necessary. Coverity CID 291837, ok djm@

Plug more mem leaks in sftp by making make_absolute_pwd_glob work in
the same way as make_absolute: you pass it a dynamically allocated string
and it either returns it, or frees it and allocates a new one.
Patch from emaste at freebsd.org and https://reviews.freebsd.org/D37253
ok djm@

calloc can return NULL but xcalloc cannot. From Coverity CID 291881,
ok djm@

Plug mem leak. Coverity CID 405196, ok djm@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Plug mem leak on globbed ls error path. Spotted by Coverity, ok deraadt@

suppress "Connection closed" message when in quiet mode

add -X to usage();

add a -X option to both scp(1) and sftp(1) to allow control over
some SFTP protocol knobs: the copy buffer length and the number of
inflight requests, both of which are used during upload/download.

Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.

ok dtucker@

use users-groups-by-id@openssh.com sftp-server extension (when
available) to fill in user/group names for directory listings.
Implement a client-side cache of see uid/gid=>user/group names.
ok markus@

extend sftp-common.c:extend ls_file() to support supplied user/group
names; ok markus@

sftp: Be a bit more clever about completions

There are commands (e.g. "get" or "put") that accept two
arguments, a local path and a remote path. However, the way
current completion is written doesn't take this distinction into
account and always completes remote or local paths.

By expanding CMD struct and "cmds" array this distinction can be
reflected and with small adjustment to completer code the correct
path can be completed.

By Michal Privoznik, ok dtucker@

sftp: Don't attempt to complete arguments for non-existent commands

If user entered a non-existent command (e.g. because they made a
typo) there is no point in trying to complete its arguments. Skip
calling complete_match() if that's the case.

From Michal Privoznik

reflect the update to -D arg name in usage();

allow arguments to sftp -D option, e.g.
sftp -D "/usr/libexec/sftp-server -el debug3"

ok markus@

arrange for scp, when in sftp mode, to not ftruncate(3) files early

previous behavious of unconditionally truncating the destination file
would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
delete all the contents of their destination.

spotted by solene@ sthen@, also bz3431; ok dtucker@

When performing operations that glob(3) a remote path, ensure that the
implicit working directory used to construct that path escapes glob(3)
characters.

This prevents glob characters from being processed in places they
shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
treat the path "/tmp/a*" literally and not attempt to expand it.

Reported by Lusia Kundel; ok markus@

add a sftp client "cp" command that supports server-side copying
of files. Useful for this task and for testing the copy-data
extension. Patch from Mike Frysinger; ok dtucker@

remove blank line

Do not ignore SIGINT while waiting for input if editline(3) is not used.
Instead, in non-interactive mode, exit sftp(1), like for other serious errors.
As pointed out by dtucker@, when compiled without editline(3) support in
portable OpenSSH, the el == NULL branch is also used for interactive mode.
In that case, discard the input line and provide a fresh prompt to the user
just like in the case where editline(3) is used.
OK djm@

In the editline(3) branch of the sftp(1) event loop, handle SIGINT
rather than ignoring it, such that the user can use Ctrl-C to discard
the currently edited command line and get a fresh prompt, just like
in ftp(1), bc(1), and in shells.

It is critical to not use ssl_signal() for this particular case
because that function unconditionally sets SA_RESTART, but here we
need the signal to interrupt the read(2) in the el_gets(3) event loop.

OK dtucker@ deraadt@

make scp(1) in SFTP mode follow symlinks like traditional scp(1)
ok markus@

typos in comments; GHPR#180 from Ville Skytt��

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Use new limits@openssh.com protocol extension to let the client select
good limits based on what the server supports. Split the download and
upload buffer sizes to allow them to be chosen independently.

In practice (and assuming upgraded sftp/sftp-server at each end), this
increases the download buffer 32->64KiB and the upload buffer
32->255KiB.

Patches from Mike Frysinger; ok dtucker@

don't try to use timespeccmp(3) directly as a qsort(3) comparison
function - it returns 0/1 and not the -1/0/1 that qsort expectes.

fixes sftp "ls -ltr" under some circumstances.

Based on patch by Masahiro Matsuya via bz3248.

shuffle a few utility functions into sftp-client.c; from Jakub Jelen

whitespace; no code change

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

Allow full range of UIDs and GIDs for sftp chown and chgrp on 32bit
platforms instead of being limited by LONG_MAX. bz#3206, found by
booking00 at sina.cn, ok markus@

allow -A to explicitly enable agent forwarding in scp and sftp. The
default remains to not forward an agent, even when ssh_config enables
it. ok jmc dtucker markus

sort -N and add it to usage();

Add a flag to re-enable verbose output when in batch mode;
requested in bz3135; ok dtucker

Have sftp reject "-1" in the same way as ssh(1) and scp(1) do instead
of accepting and silently ignoring it since protocol 1 support has
been removed. Spotted by shivakumar2696 at gmail.com, ok deraadt@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix a race condition in the SIGCHILD handler that could turn in
to a kill(-1); bz3084, reported by Gao Rui, ok dtucker@

remove some duplicate #includes

Fix a typo and make <esc><right> move right to the closest end of a word
just like <esc><left> moves left to the closest beginning of a word.

ok djm

from tim:
- for reput, it is remote-path which is optional, not local-path
- sync help

from deraadt:
- prefer -R and undocument -r (but add a comment for future editors)

from schwarze:
- prefer -p and undocument -P (as above. the comment was schwarze's too)

more:
- add the -f flag to reput and reget
- sort help (i can;t remember who suggested this originally)

djm and deraadt were ok with earlier versions of this;
tim and schwarze ok

Check for user@host when parsing sftp target. This allows user@[1.2.3.4]
to work without a path in addition to with one. bz#2999, ok djm@

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)
to match ssh(1)'s interface.

ok djm

Add "-h" flag to sftp chown/chgrp/chmod commands to request they do
not follow symlinks. Requires recently-committed lsetstat@openssh.com
extension on the server side.

ok markus@ dtucker@

use path_absolute() for pathname checks; from Manoj Ampalam

support a prefix of '@' to suppress echo of sftp batch commands;
bz#2926; ok dtucker@

Add FALLTHROUGH comments where appropriate. Patch from jjelen at redhat
via bz#2687.

Since the previous commit, ssh regress test sftp-chroot was failing.
The sftp program terminated with the wrong exit code as sftp called
fatal() instad of exit(0). So when the sigchld handler waits for
the child, remember that it was found. Then don't expect that
main() can wait again.
OK dtucker@

notify user immediately when underlying ssh process dies;
patch from Thomas Kuthan in bz2719; ok dtucker@

lots of typos in comments/docs. Patch from Karsten Weiss after checking
with codespell tool (https://github.com/lucasdemarchi/codespell)

allow "cd" and "lcd" commands with no explicit path argument.
lcd will change to the local user's home directory as usual.
cd will change to the starting directory for session (because the
protocol offers no way to obtain the remote user's home directory).
bz#2760 ok dtucker@

Add URI support to ssh, sftp and scp. For example ssh://user@host
or sftp://user@host/path. The connection parameters described in
draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the
ssh fingerprint format in the draft uses md5 with no way to specify
the hash function type. OK djm@

implement sorting for globbed ls; bz#2649 ok dtucker@

remove -1 / -2 options; pointed out by jmc@

fix division by zero crash in "df" output when server returns zero
total filesystem blocks/inodes. Spotted by Guido Vranken; ok dtucker@

Install a signal handler for tty-generated signals and wait for the
ssh child to suspend before suspending sftp. This lets ssh restore
the terminal mode as needed when it is suspended at the password
prompt. OK dtucker@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

constify a few functions' arguments; patch from Jakub Jelen bz#2581

To prevent screwing up terminal settings when printing to the
terminal, for ASCII and UTF-8, escape bytes not forming characters
and bytes forming non-printable characters with vis(3) VIS_OCTAL.
For other character sets, abort printing of the current string in
these cases. In particular,
* let scp(1) respect the local user's LC_CTYPE locale(1);
* sanitize data received from the remote host;
* sanitize filenames, usernames, and similar data even locally;
* take character display widths into account for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

whitespace at EOL

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope
ok krw millert

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

update sftp client and server to new buffer API.
pretty much just mechanical changes; with & ok markus

Prefer setvbuf() to setlinebuf() for portability; ok deraadt@

correct options in usage(); from mancha1 AT zoho.com

djm how did you make a typo like that...

~-expand lcd paths

more useful error message when GLOB_NOSPACE occurs;
bz#2254, patch from Orion Poplawski

Zap extra whitespace.

OK from djm@ and dtucker@

Don't attempt to append a nul quote char to the filename. Should prevent
fatal'ing with "el_insertstr failed" when there's a single quote char
somewhere in the string. bz#2238, ok markus@

Move nulling of variable next to where it's freed. ok markus@

Sort the sftp command list.

OK from djm@

Implement sftp upload resume support.

OK from djm@, with input from guenther@, mlarkin@ and
okan@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

tweak previous;

fsync@openssh.com protocol extension for sftp-server
client support to allow calling fsync() faster successful transfer
patch mostly by imorgan AT nas.nasa.gov; bz#1798
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@

make ^w match ksh behaviour (delete previous word instead of entire line)

enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word;
matching ksh's relatively recent change.

do getopt parsing for all sftp commands (with an empty optstring for
commands without arguments) to ensure consistent behaviour

add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.

intended for use in regress tests, so no documentation.

fix two year old regression: symlinking a file would incorrectly
canonicalise the target path. bz#2129 report from delphij AT freebsd.org

sort -a;

fix some whitespace at EOL

make list of commands an enum rather than a long list of defines

add -a to usage()

sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
"Just be careful" deraadt@

fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@

Make sftp's libedit interface marginally multibyte aware by building up the
quoted string by character instead of by byte. Prevents failures when linked
against a libedit built with wide character support (bz#1990). "looks ok" djm

bye, bye xfree(); ok markus@

Fix some "unused result" warnings found via clang and -portable. ok markus@

make "sftp -q" do what it says on the sticker: hush everything but errors;
ok dtucker@

fix NULL deref when built without libedit and control characters
entered as command; debugging and patch from Iain Morgan an
Loganaden Velvindron in bz#1956

fix signed vs unsigned warning; feedback & ok: djm@

Fix handling of filenames containing escaped globbing characters and escape
"#" and "*". Patch from Jean-Marc Robert via tech@, ok djm.

Fix improper handling of absolute paths when PWD is part of the completed
path. Patch from Jean-Marc Robert via tech@, ok djm.

Add bounds check on sftp tab-completion. Part of a patch from from Jean-Marc
Robert via tech@, ok djm

an XXX for later

Remove unused variable leftover from tab-completion changes.
From Steve.McClellan at radisys com, ok markus@

setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)

Don't leak list in complete_cmd_parse if there are no commands found.

Discovered when I was ``borrowing'' this code for something else.

ok djm@

don't let remote_glob() implicitly sort its results in do_globbed_ls() -
in all likelihood, they will be resorted anyway

add a protocol extension to support a hard link operation. It is
available through the "ln" command in the client. The old "ln"
behaviour of creating a symlink is available using its "-s" option
or through the preexisting "symlink" command; based on a patch from
miklos AT szeredi.hu in bz#1555; ok markus@

escape '[' in filename tab-completion; fix a type while there.
ok djm@

use default shell /bin/sh if $SHELL is ""; ok markus@

when performing an "ls" in columnated (short) mode, only call
ioctl(TIOCGWINSZ) once to get the window width instead of per-
filename

make use of new glob(3) GLOB_KEEPSTAT extension to save extra server
rountrips to fetch per-file stat(2) information.

add [-l limit] to usage();

add an option per-read/write callback to atomicio

factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism

add a bandwidth limit option to sftp(1) using the above

"very nice" markus@

unbreak ls in working directories that contains globbing characters in
their pathnames. bz#1655 reported by vgiffin AT apple.com

restore mput and mget which got lost in the tab-completion changes.
found by Kenneth Whitaker, ok djm@

add missing "p" flag to getopt optstring;
bz#1704 from imorgan AT nas.nasa.gov

Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
inherited SIGTERM as ignored it will still be able to kill the ssh it
starts.

ok dtucker@

sftp.1: put ls -h in the right place
sftp.c: as above, plus add -p to get/put, and shorten their arg names
to keep the help usage nicely aligned

ok djm

don't append a space after inserting a completion of a directory (i.e.
a path ending in '/') for a slightly better user experience; ok dtucker@

support '-h' (human-readable units) for sftp's ls command, just like
ls(1); ok dtucker@

Prevent sftp from derefing a null pointer when given a "-" without a command.
Also, allow whitespace to follow a "-". bz#1691, path from Colin Watson via
Debian. ok djm@ deraadt@

Fix two warnings: possibly used unitialized and use a nul byte instead of
NULL pointer. ok djm@

Implement tab-completion of commands, local and remote filenames for sftp.
Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009
Google Summer of Code) and polished to a fine sheen by myself again.
It should deal more-or-less correctly with the ikky corner-cases presented
by quoted filenames, but the UI could still be slightly improved.
In particular, it is quite slow for remote completion on large directories.
bz#200; ok markus@

When passing user-controlled options with arguments to other programs,
pass the option and option argument as separate argv entries and
not smashed into one (e.g., as -l foo and not -lfoo). Also, always
pass a "--" argument to stop option parsing, so that a positional
argument that starts with a '-' isn't treated as an option. This
fixes some error cases as well as the handling of hostnames and
filenames that start with a '-'.

Based on a diff by halex@
ok halex@ djm@ deraadt@

fix potential divide-by-zero in sftp's "df" output when talking to a server
that reports zero files on the filesystem (Unix filesystems always have at
least the root inode). From Steve McClellan at radisys, ok djm@

make passing of zero-length arguments to ssh safe by
passing "-<switch>" "<value>" rather than "-<switch><value>"

ok dtucker@, guenther@, djm@

bz#1588 change "Connecting to host..." message to "Connected to host."
and delay it until after the sftp protocol connection has been established.
Avoids confusing sequence of messages when the underlying ssh connection
experiences problems. ok dtucker@

recursive transfer support for get/put and on the commandline
work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@

sync synopsis and usage();

Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.

part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
of Code work; ok deraadt markus

support most of scp(1)'s commandline arguments in sftp(1), as a first
step towards making sftp(1) a drop-in replacement for scp(1).
One conflicting option (-P) has not been changed, pending further
discussion.

Patch from carlosvsilvapt@gmail.com as part of his work in the
Google Summer of Code

Initialize a few variables to prevent spurious "may be used uninitialized"
warnings from newer gcc's. ok djm@

update for the synopses displayed by the 'help' command, there are a
few missing flags; add 'bye' to the output of 'help'; sorting and spacing.

jmc@ suggested replacing .Oo/.Oc with a single .Op macro.

ok jmc@

correct sftp(1) and corresponding usage syntax;
bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@

Deal correctly with failures in remote stat() operation in sftp,
correcting fail-on-error behaviour in batchmode. bz#1541 report and
fix from anedvedicky AT gmail.com; ok markus@

increase number of piplelined requests so they properly fill the
(recently increased) channel window. prompted by rapier AT psc.edu;
ok markus@

use optopt to get invalid flag, instead of return value of getopt,
which is always '?'; ok djm@

Have the sftp client store the statvfs replies in wire format,
which prevents problems when the server's native sizes exceed the
client's.

Also extends the sizes of the remaining 32bit wire format to 64bit,
they're specified as unsigned long in the standard.

introduce sftp extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations,
based on a patch from miklos AT szeredi.hu (bz#1399)

also add a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation

ok markus@

When uploading, correctly handle the case of an unquoted filename with
glob metacharacters that match a file exactly but not as a glob, e.g. a
file called "[abcd]". report and test cases from duncan2nd AT gmx.de

unbreak lls command and add a regress test that would have caught the
breakage; spotted by mouring@

rework argument splitting and parsing to cope correctly with common shell
escapes and make handling of escaped characters consistent with sh(1) and
between sftp commands (especially between ones that glob their arguments
and ones that don't).
parse command flags using getopt(3) rather than hand-rolled parsers.
ok dtucker@

ARGSUSED for lint

spaces

Don't access buf[strlen(buf) - 1] for zero-length strings.

``ok by me'' djm@.

Clear errno before calling the strtol functions.

From Paul Stoeber <x0001 at x dot de1 dot cc>.

OK deraadt@.

Use S_IS* macros insted of masking with S_IF* flags. The latter may
have multiple bits set, which lead to surprising results. Spotted by
Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@

branches: 1.91.4;
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

buffer.h only needed in sftp-common.h and remove some unneeded
user includes; ok djm@

move #include <sys/socket.h> out of includes.h

fix leak; coverity via Kylene Jo Hall

Switch from using pipes to socketpairs for communication between
sftp/scp and ssh, and between sshd and its subprocesses. This saves
a file descriptor per session and apparently makes userland ppp over
ssh work; ok markus@ deraadt@

always use a format string for addargs; spotted by mouring@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

"abormally" is a perfectly cromulent word, but "abnormally" is better

RCSID() can die

more memory leaks detected by Coverity via elad AT netbsd.org;
deraadt@ ok

branches: 1.75.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <signal.h> out of includes.h; ok markus@

move #include <sys/wait.h> out of includes.h; ok markus@

move #include <sys/ioctl.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@

ensure that stdio fds are attached; ok deraadt@

branches: 1.66.2;
sftp prompt enhancements:
- in non-interactive mode, do not print an empty prompt at the end
before finishing
- print newline after EOF in editline mode
- call el_end() in editline mode

ok dtucker djm

knf says that a 2nd level indent is four (not three or five) spaces

make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.63.2;
spacing

turn on ssh batch mode when in sftp batch mode, patch from jdmossh AT nand.net;
ok markus@

Have scp and sftp wait for the spawned ssh to exit before they exit
themselves. This prevents ssh from being unable to restore terminal
modes (not normally a problem on OpenBSD but common with -Portable
on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
ok djm@ markus@

- fix globbed ls for paths the same lenght as the globbed path when
we have a unique matching.
- fix globbed ls in case of a directory when we have a unique matching.
- as a side effect, if the path does not exist error (used to silently ignore).
- don't do extra do_lstat() if we only have one matching file.

djm@ ok

Some small fixes from moritz@jodeit.org. ok deraadt@

leak; from mpech

command editing and history support via libedit; ok markus@
thanks to hshoexer@ and many testers on tech@ too

branches: 1.56.2;
spaces

bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de

don't show .files by default in ls, add -a option to turn them back on;
ok markus

prefix ls option flags with LS_

introduce sorting for ls, same options as /bin/ls; ok markus@

make ssh -Wshadow clean, no functional changes
markus@ ok

make "ls -l" listings print user/group names, add "ls -n" to show uid/gid
(like /bin/ls); idea & ok markus@

Use execvp instead of execv so sftp -S ssh works. "makes sense" markus@

initialize pointers, ok markus@

exit -> _exit in forked child on error; from andrushock AT korovino.net

gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while
waiting for a command; ok markus@

branches: 1.45.2;
Fix initialisation of progress meter; ok markus@

sftp.c and sftp-int.c, together at last; ok markus@

Remove useless headers; ok deraadt@

switch to license.template for code written by me (belated, I know...)

reorder parsing so user:skey@host:file works (bugzilla #777)
patch from admorten AT umich.edu; ok markus@

initialise infile in main, rather than statically - from portable

Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and
enable use of "-b -" to accept batchfile from stdin; ok markus@

scp and sftp: add options list and sort options. options list requested
by deraadt@
sshd: use same format as ssh
ssh: remove wrong option from list
sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)

ok deraadt@ markus@

branches: 1.37.2;
sync usage with manpage, add missing -R

kill ssh process on receipt of signal; ok markus@

Teach ls how to display multiple column display and allow users to return
to single column format via 'ls -1'. OK @djm

branches: 1.34.2;
sftp progress meter support.
original diffs by Nils Nordman <nino at nforced dot com> via markus@, merged
to -current by me, djm@ ok.

Cleanup error handling for batchmode
Allow blank lines and comments in input
Ability to suppress abort on error in batchmode ("-put blah")

Fixes mindrot bug #452; markus@ ok

allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
http://bugzilla.mindrot.org/show_bug.cgi?id=447; ok mouring@, millert@

branches: 1.31.2;
FallBackToRsh does not exist anywhere else. Remove it from here. OK deraadt.

bunch of u_int vs int stuff

branches: 1.29.2;
always call log_init()

check waitpid for EINTR; based on patch from peter@ifm.liu.se

KNF whitespace

Perform multiple overlapping read/write requests in file transfer. Mostly
done by Tobias Ringstrom <tori@ringstrom.mine.nu>; ok markus@

sync usage() with manual.

markus@ ok

Add "-B" option to specify copy buffer length (default 32k); ok markus@

Add "-P" option to directly connect to a local sftp-server. Should be useful
for regression testing; ok markus@

basic KNF done while i was looking for something else

branches: 1.21.2;
add ClearAllForwardings ssh option and set it in scp and sftp; ok markus@

cleanup and document -1, -s and -S; ok markus@

add -Fssh_config option; ok markus@

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use addargs() in sftp plus some clean up of addargs(). OK Markus

Move colon() and cleanhost() to misc.c where I should I have put it in
the first place

branches: 1.15.2;
IPv6 support for sftp (which I bungled in my last patch) which is
borrowed from scp.c. Thanks to Markus@ for pointing it out.

Add support for:
sftp [user@]host[:file [file]] - Fetch remote file(s)
sftp [user@]host[:dir[/]] - Start in remote dir/
OK deraadt@

do not modify an actual argv[] entry

fix whitespace: unexpand + trailing spaces.

branches: 1.11.2;
Support for new draft (draft-ietf-secsh-filexfer-01). New symlink handling
functions and small protocol change.

sftp -b batchfile; mouring@etoh.eviladmin.org

clean up arg processing. based on work by Christophe_Moret@hp.com

do not kill the subprocess on termination (we will see if this helps things
or hurts things)

branches: 1.7.2;
allow sftp over ssh protocol 1; ok djm@

Don't forward agent and X11 in sftp. Suggestion from Roumen Petrov
<roumen.petrov@skalasoft.com>

Fix -o option under getopt; ok markus@

Wait for ssh subprocess at exit

Use getopt to process commandline arguments

unexpand and remove end-of-line whitespace; ok markus@

Basic interactive sftp client; ok theo@

whitespace

rename remote_glob() -> sftp_glob() to match other API

the sftp code was one of my first contributions to OpenSSH and it
shows - the function names are terrible.

Rename do_blah() to sftp_blah() to make them less so.

Completely mechanical except for sftp_stat() and sftp_lstat() which
change from returning a pointer to a static variable (error-prone) to
taking a pointer to a caller-provided receiver.

fix double words
ok dtucker@

don't care about glob() return value here.

Explictly ignore return codes where we don't check them. From Dmitry
Belyavskiy via github PR#238, ok djm@

Plug another potential mem leak in process_put. It allocates abs_dst
inside a loop but only frees it on exit, so free inside the loop if
necessary. Coverity CID 291837, ok djm@

Plug more mem leaks in sftp by making make_absolute_pwd_glob work in
the same way as make_absolute: you pass it a dynamically allocated string
and it either returns it, or frees it and allocates a new one.
Patch from emaste at freebsd.org and https://reviews.freebsd.org/D37253
ok djm@

calloc can return NULL but xcalloc cannot. From Coverity CID 291881,
ok djm@

Plug mem leak. Coverity CID 405196, ok djm@

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Plug mem leak on globbed ls error path. Spotted by Coverity, ok deraadt@

suppress "Connection closed" message when in quiet mode

add -X to usage();

add a -X option to both scp(1) and sftp(1) to allow control over
some SFTP protocol knobs: the copy buffer length and the number of
inflight requests, both of which are used during upload/download.

Previously these could be controlled in sftp(1) using the -b/-R options.
This makes them available in both SFTP protocol clients using the same
option character sequence.

ok dtucker@

use users-groups-by-id@openssh.com sftp-server extension (when
available) to fill in user/group names for directory listings.
Implement a client-side cache of see uid/gid=>user/group names.
ok markus@

extend sftp-common.c:extend ls_file() to support supplied user/group
names; ok markus@

sftp: Be a bit more clever about completions

There are commands (e.g. "get" or "put") that accept two
arguments, a local path and a remote path. However, the way
current completion is written doesn't take this distinction into
account and always completes remote or local paths.

By expanding CMD struct and "cmds" array this distinction can be
reflected and with small adjustment to completer code the correct
path can be completed.

By Michal Privoznik, ok dtucker@

sftp: Don't attempt to complete arguments for non-existent commands

If user entered a non-existent command (e.g. because they made a
typo) there is no point in trying to complete its arguments. Skip
calling complete_match() if that's the case.

From Michal Privoznik

reflect the update to -D arg name in usage();

allow arguments to sftp -D option, e.g.
sftp -D "/usr/libexec/sftp-server -el debug3"

ok markus@

arrange for scp, when in sftp mode, to not ftruncate(3) files early

previous behavious of unconditionally truncating the destination file
would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to
delete all the contents of their destination.

spotted by solene@ sthen@, also bz3431; ok dtucker@

When performing operations that glob(3) a remote path, ensure that the
implicit working directory used to construct that path escapes glob(3)
characters.

This prevents glob characters from being processed in places they
shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation
treat the path "/tmp/a*" literally and not attempt to expand it.

Reported by Lusia Kundel; ok markus@

add a sftp client "cp" command that supports server-side copying
of files. Useful for this task and for testing the copy-data
extension. Patch from Mike Frysinger; ok dtucker@

remove blank line

Do not ignore SIGINT while waiting for input if editline(3) is not used.
Instead, in non-interactive mode, exit sftp(1), like for other serious errors.
As pointed out by dtucker@, when compiled without editline(3) support in
portable OpenSSH, the el == NULL branch is also used for interactive mode.
In that case, discard the input line and provide a fresh prompt to the user
just like in the case where editline(3) is used.
OK djm@

In the editline(3) branch of the sftp(1) event loop, handle SIGINT
rather than ignoring it, such that the user can use Ctrl-C to discard
the currently edited command line and get a fresh prompt, just like
in ftp(1), bc(1), and in shells.

It is critical to not use ssl_signal() for this particular case
because that function unconditionally sets SA_RESTART, but here we
need the signal to interrupt the read(2) in the el_gets(3) event loop.

OK dtucker@ deraadt@

make scp(1) in SFTP mode follow symlinks like traditional scp(1)
ok markus@

typos in comments; GHPR#180 from Ville Skytt��

highly polished whitespace, mostly fixing spaces-for-tab and bad
indentation on continuation lines. Prompted by GHPR#185

Use new limits@openssh.com protocol extension to let the client select
good limits based on what the server supports. Split the download and
upload buffer sizes to allow them to be chosen independently.

In practice (and assuming upgraded sftp/sftp-server at each end), this
increases the download buffer 32->64KiB and the upload buffer
32->255KiB.

Patches from Mike Frysinger; ok dtucker@

don't try to use timespeccmp(3) directly as a qsort(3) comparison
function - it returns 0/1 and not the -1/0/1 that qsort expectes.

fixes sftp "ls -ltr" under some circumstances.

Based on patch by Masahiro Matsuya via bz3248.

shuffle a few utility functions into sftp-client.c; from Jakub Jelen

whitespace; no code change

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

Allow full range of UIDs and GIDs for sftp chown and chgrp on 32bit
platforms instead of being limited by LONG_MAX. bz#3206, found by
booking00 at sina.cn, ok markus@

allow -A to explicitly enable agent forwarding in scp and sftp. The
default remains to not forward an agent, even when ssh_config enables
it. ok jmc dtucker markus

sort -N and add it to usage();

Add a flag to re-enable verbose output when in batch mode;
requested in bz3135; ok dtucker

Have sftp reject "-1" in the same way as ssh(1) and scp(1) do instead
of accepting and silently ignoring it since protocol 1 support has
been removed. Spotted by shivakumar2696 at gmail.com, ok deraadt@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix a race condition in the SIGCHILD handler that could turn in
to a kill(-1); bz3084, reported by Gao Rui, ok dtucker@

remove some duplicate #includes

Fix a typo and make <esc><right> move right to the closest end of a word
just like <esc><left> moves left to the closest beginning of a word.

ok djm

from tim:
- for reput, it is remote-path which is optional, not local-path
- sync help

from deraadt:
- prefer -R and undocument -r (but add a comment for future editors)

from schwarze:
- prefer -p and undocument -P (as above. the comment was schwarze's too)

more:
- add the -f flag to reput and reget
- sort help (i can;t remember who suggested this originally)

djm and deraadt were ok with earlier versions of this;
tim and schwarze ok

Check for user@host when parsing sftp target. This allows user@[1.2.3.4]
to work without a path in addition to with one. bz#2999, ok djm@

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)
to match ssh(1)'s interface.

ok djm

Add "-h" flag to sftp chown/chgrp/chmod commands to request they do
not follow symlinks. Requires recently-committed lsetstat@openssh.com
extension on the server side.

ok markus@ dtucker@

use path_absolute() for pathname checks; from Manoj Ampalam

support a prefix of '@' to suppress echo of sftp batch commands;
bz#2926; ok dtucker@

Add FALLTHROUGH comments where appropriate. Patch from jjelen at redhat
via bz#2687.

Since the previous commit, ssh regress test sftp-chroot was failing.
The sftp program terminated with the wrong exit code as sftp called
fatal() instad of exit(0). So when the sigchld handler waits for
the child, remember that it was found. Then don't expect that
main() can wait again.
OK dtucker@

notify user immediately when underlying ssh process dies;
patch from Thomas Kuthan in bz2719; ok dtucker@

lots of typos in comments/docs. Patch from Karsten Weiss after checking
with codespell tool (https://github.com/lucasdemarchi/codespell)

allow "cd" and "lcd" commands with no explicit path argument.
lcd will change to the local user's home directory as usual.
cd will change to the starting directory for session (because the
protocol offers no way to obtain the remote user's home directory).
bz#2760 ok dtucker@

Add URI support to ssh, sftp and scp. For example ssh://user@host
or sftp://user@host/path. The connection parameters described in
draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the
ssh fingerprint format in the draft uses md5 with no way to specify
the hash function type. OK djm@

implement sorting for globbed ls; bz#2649 ok dtucker@

remove -1 / -2 options; pointed out by jmc@

fix division by zero crash in "df" output when server returns zero
total filesystem blocks/inodes. Spotted by Guido Vranken; ok dtucker@

Install a signal handler for tty-generated signals and wait for the
ssh child to suspend before suspending sftp. This lets ssh restore
the terminal mode as needed when it is suspended at the password
prompt. OK dtucker@

Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitions
rather than pulling <sys/param.h> and unknown namespace pollution.
ok djm markus dtucker

constify a few functions' arguments; patch from Jakub Jelen bz#2581

To prevent screwing up terminal settings when printing to the
terminal, for ASCII and UTF-8, escape bytes not forming characters
and bytes forming non-printable characters with vis(3) VIS_OCTAL.
For other character sets, abort printing of the current string in
these cases. In particular,
* let scp(1) respect the local user's LC_CTYPE locale(1);
* sanitize data received from the remote host;
* sanitize filenames, usernames, and similar data even locally;
* take character display widths into account for the progressmeter.

This is believed to be sufficient to keep the local terminal safe
on OpenBSD, but bad things can still happen on other systems with
state-dependent locales because many places in the code print
unencoded ASCII characters into the output stream.

Using feedback from djm@ and martijn@,
various aspects discussed with many others.

deraadt@ says it should go in now, i probably already hesitated too long

whitespace at EOL

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

Do not cast result of malloc/calloc/realloc* if stdlib.h is in scope
ok krw millert

Reduce use of <sys/param.h> and transition to <limits.h> throughout.
ok djm markus

update sftp client and server to new buffer API.
pretty much just mechanical changes; with & ok markus

Prefer setvbuf() to setlinebuf() for portability; ok deraadt@

correct options in usage(); from mancha1 AT zoho.com

djm how did you make a typo like that...

~-expand lcd paths

more useful error message when GLOB_NOSPACE occurs;
bz#2254, patch from Orion Poplawski

Zap extra whitespace.

OK from djm@ and dtucker@

Don't attempt to append a nul quote char to the filename. Should prevent
fatal'ing with "el_insertstr failed" when there's a single quote char
somewhere in the string. bz#2238, ok markus@

Move nulling of variable next to where it's freed. ok markus@

Sort the sftp command list.

OK from djm@

Implement sftp upload resume support.

OK from djm@, with input from guenther@, mlarkin@ and
okan@

unsigned casts for ctype macros where neccessary
ok guenther millert markus

tweak previous;

fsync@openssh.com protocol extension for sftp-server
client support to allow calling fsync() faster successful transfer
patch mostly by imorgan AT nas.nasa.gov; bz#1798
"fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@

make ^w match ksh behaviour (delete previous word instead of entire line)

enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word;
matching ksh's relatively recent change.

do getopt parsing for all sftp commands (with an empty optstring for
commands without arguments) to ensure consistent behaviour

add a "-l" flag for the rename command to force it to use the silly
standard SSH_FXP_RENAME command instead of the POSIX-rename- like
posix-rename@openssh.com extension.

intended for use in regress tests, so no documentation.

fix two year old regression: symlinking a file would incorrectly
canonicalise the target path. bz#2129 report from delphij AT freebsd.org

sort -a;

fix some whitespace at EOL

make list of commands an enum rather than a long list of defines

add -a to usage()

sftp support for resuming partial downloads; patch mostly by Loganaden
Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
"Just be careful" deraadt@

fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@

Make sftp's libedit interface marginally multibyte aware by building up the
quoted string by character instead of by byte. Prevents failures when linked
against a libedit built with wide character support (bz#1990). "looks ok" djm

bye, bye xfree(); ok markus@

Fix some "unused result" warnings found via clang and -portable. ok markus@

make "sftp -q" do what it says on the sticker: hush everything but errors;
ok dtucker@

fix NULL deref when built without libedit and control characters
entered as command; debugging and patch from Iain Morgan an
Loganaden Velvindron in bz#1956

fix signed vs unsigned warning; feedback & ok: djm@

Fix handling of filenames containing escaped globbing characters and escape
"#" and "*". Patch from Jean-Marc Robert via tech@, ok djm.

Fix improper handling of absolute paths when PWD is part of the completed
path. Patch from Jean-Marc Robert via tech@, ok djm.

Add bounds check on sftp tab-completion. Part of a patch from from Jean-Marc
Robert via tech@, ok djm

an XXX for later

Remove unused variable leftover from tab-completion changes.
From Steve.McClellan at radisys com, ok markus@

setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)

Don't leak list in complete_cmd_parse if there are no commands found.

Discovered when I was ``borrowing'' this code for something else.

ok djm@

don't let remote_glob() implicitly sort its results in do_globbed_ls() -
in all likelihood, they will be resorted anyway

add a protocol extension to support a hard link operation. It is
available through the "ln" command in the client. The old "ln"
behaviour of creating a symlink is available using its "-s" option
or through the preexisting "symlink" command; based on a patch from
miklos AT szeredi.hu in bz#1555; ok markus@

escape '[' in filename tab-completion; fix a type while there.
ok djm@

use default shell /bin/sh if $SHELL is ""; ok markus@

when performing an "ls" in columnated (short) mode, only call
ioctl(TIOCGWINSZ) once to get the window width instead of per-
filename

make use of new glob(3) GLOB_KEEPSTAT extension to save extra server
rountrips to fetch per-file stat(2) information.

add [-l limit] to usage();

add an option per-read/write callback to atomicio

factor out bandwidth limiting code from scp(1) into a generic bandwidth
limiter that can be attached using the atomicio callback mechanism

add a bandwidth limit option to sftp(1) using the above

"very nice" markus@

unbreak ls in working directories that contains globbing characters in
their pathnames. bz#1655 reported by vgiffin AT apple.com

restore mput and mget which got lost in the tab-completion changes.
found by Kenneth Whitaker, ok djm@

add missing "p" flag to getopt optstring;
bz#1704 from imorgan AT nas.nasa.gov

Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
inherited SIGTERM as ignored it will still be able to kill the ssh it
starts.

ok dtucker@

sftp.1: put ls -h in the right place
sftp.c: as above, plus add -p to get/put, and shorten their arg names
to keep the help usage nicely aligned

ok djm

don't append a space after inserting a completion of a directory (i.e.
a path ending in '/') for a slightly better user experience; ok dtucker@

support '-h' (human-readable units) for sftp's ls command, just like
ls(1); ok dtucker@

Prevent sftp from derefing a null pointer when given a "-" without a command.
Also, allow whitespace to follow a "-". bz#1691, path from Colin Watson via
Debian. ok djm@ deraadt@

Fix two warnings: possibly used unitialized and use a nul byte instead of
NULL pointer. ok djm@

Implement tab-completion of commands, local and remote filenames for sftp.
Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009
Google Summer of Code) and polished to a fine sheen by myself again.
It should deal more-or-less correctly with the ikky corner-cases presented
by quoted filenames, but the UI could still be slightly improved.
In particular, it is quite slow for remote completion on large directories.
bz#200; ok markus@

When passing user-controlled options with arguments to other programs,
pass the option and option argument as separate argv entries and
not smashed into one (e.g., as -l foo and not -lfoo). Also, always
pass a "--" argument to stop option parsing, so that a positional
argument that starts with a '-' isn't treated as an option. This
fixes some error cases as well as the handling of hostnames and
filenames that start with a '-'.

Based on a diff by halex@
ok halex@ djm@ deraadt@

fix potential divide-by-zero in sftp's "df" output when talking to a server
that reports zero files on the filesystem (Unix filesystems always have at
least the root inode). From Steve McClellan at radisys, ok djm@

make passing of zero-length arguments to ssh safe by
passing "-<switch>" "<value>" rather than "-<switch><value>"

ok dtucker@, guenther@, djm@

bz#1588 change "Connecting to host..." message to "Connected to host."
and delay it until after the sftp protocol connection has been established.
Avoids confusing sequence of messages when the underlying ssh connection
experiences problems. ok dtucker@

recursive transfer support for get/put and on the commandline
work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
with some tweaks by me; "go for it" deraadt@

sync synopsis and usage();

Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
add "-P port" to match scp(1). Fortunately, the -P option is only really
used by our regression scripts.

part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
of Code work; ok deraadt markus

support most of scp(1)'s commandline arguments in sftp(1), as a first
step towards making sftp(1) a drop-in replacement for scp(1).
One conflicting option (-P) has not been changed, pending further
discussion.

Patch from carlosvsilvapt@gmail.com as part of his work in the
Google Summer of Code

Initialize a few variables to prevent spurious "may be used uninitialized"
warnings from newer gcc's. ok djm@

update for the synopses displayed by the 'help' command, there are a
few missing flags; add 'bye' to the output of 'help'; sorting and spacing.

jmc@ suggested replacing .Oo/.Oc with a single .Op macro.

ok jmc@

correct sftp(1) and corresponding usage syntax;
bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@

Deal correctly with failures in remote stat() operation in sftp,
correcting fail-on-error behaviour in batchmode. bz#1541 report and
fix from anedvedicky AT gmail.com; ok markus@

increase number of piplelined requests so they properly fill the
(recently increased) channel window. prompted by rapier AT psc.edu;
ok markus@

use optopt to get invalid flag, instead of return value of getopt,
which is always '?'; ok djm@

Have the sftp client store the statvfs replies in wire format,
which prevents problems when the server's native sizes exceed the
client's.

Also extends the sizes of the remaining 32bit wire format to 64bit,
they're specified as unsigned long in the standard.

introduce sftp extension methods statvfs@openssh.com and
fstatvfs@openssh.com that implement statvfs(2)-like operations,
based on a patch from miklos AT szeredi.hu (bz#1399)

also add a "df" command to the sftp client that uses the
statvfs@openssh.com to produce a df(1)-like display of filesystem
space and inode utilisation

ok markus@

When uploading, correctly handle the case of an unquoted filename with
glob metacharacters that match a file exactly but not as a glob, e.g. a
file called "[abcd]". report and test cases from duncan2nd AT gmx.de

unbreak lls command and add a regress test that would have caught the
breakage; spotted by mouring@

rework argument splitting and parsing to cope correctly with common shell
escapes and make handling of escaped characters consistent with sh(1) and
between sftp commands (especially between ones that glob their arguments
and ones that don't).
parse command flags using getopt(3) rather than hand-rolled parsers.
ok dtucker@

ARGSUSED for lint

spaces

Don't access buf[strlen(buf) - 1] for zero-length strings.

``ok by me'' djm@.

Clear errno before calling the strtol functions.

From Paul Stoeber <x0001 at x dot de1 dot cc>.

OK deraadt@.

Use S_IS* macros insted of masking with S_IF* flags. The latter may
have multiple bits set, which lead to surprising results. Spotted by
Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@

branches: 1.91.4;
almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <sys/param.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

buffer.h only needed in sftp-common.h and remove some unneeded
user includes; ok djm@

move #include <sys/socket.h> out of includes.h

fix leak; coverity via Kylene Jo Hall

Switch from using pipes to socketpairs for communication between
sftp/scp and ssh, and between sshd and its subprocesses. This saves
a file descriptor per session and apparently makes userland ppp over
ssh work; ok markus@ deraadt@

always use a format string for addargs; spotted by mouring@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

"abormally" is a perfectly cromulent word, but "abnormally" is better

RCSID() can die

more memory leaks detected by Coverity via elad AT netbsd.org;
deraadt@ ok

branches: 1.75.2;
move #include <sys/stat.h> out of includes.h; ok markus@

move #include <signal.h> out of includes.h; ok markus@

move #include <sys/wait.h> out of includes.h; ok markus@

move #include <sys/ioctl.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

fix local arbitrary command execution vulnerability on local/local and
remote/remote copies (CVE-2006-0225, bz #1094), patch by
t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@

Add support for tun(4) forwarding over OpenSSH, based on an idea and
initial channel code bits by markus@. This is a simple and easy way to
use OpenSSH for ad hoc virtual private network connections, e.g.
administrative tunnels or secure wireless access. It's based on a new
ssh channel and works similar to the existing TCP forwarding support,
except that it depends on the tun(4) network interface on both ends of
the connection for layer 2 or layer 3 tunneling. This diff also adds
support for LocalCommand in the ssh(1) client.

ok djm@, markus@, jmc@ (manpages), tested and discussed with others

Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@

ensure that stdio fds are attached; ok deraadt@

branches: 1.66.2;
sftp prompt enhancements:
- in non-interactive mode, do not print an empty prompt at the end
before finishing
- print newline after EOF in editline mode
- call el_end() in editline mode

ok dtucker djm

knf says that a 2nd level indent is four (not three or five) spaces

make this -Wsign-compare clean; ok avsm@ markus@

branches: 1.63.2;
spacing

turn on ssh batch mode when in sftp batch mode, patch from jdmossh AT nand.net;
ok markus@

Have scp and sftp wait for the spawned ssh to exit before they exit
themselves. This prevents ssh from being unable to restore terminal
modes (not normally a problem on OpenBSD but common with -Portable
on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
ok djm@ markus@

- fix globbed ls for paths the same lenght as the globbed path when
we have a unique matching.
- fix globbed ls in case of a directory when we have a unique matching.
- as a side effect, if the path does not exist error (used to silently ignore).
- don't do extra do_lstat() if we only have one matching file.

djm@ ok

Some small fixes from moritz@jodeit.org. ok deraadt@

leak; from mpech

command editing and history support via libedit; ok markus@
thanks to hshoexer@ and many testers on tech@ too

branches: 1.56.2;
spaces

bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de

don't show .files by default in ls, add -a option to turn them back on;
ok markus

prefix ls option flags with LS_

introduce sorting for ls, same options as /bin/ls; ok markus@

make ssh -Wshadow clean, no functional changes
markus@ ok

make "ls -l" listings print user/group names, add "ls -n" to show uid/gid
(like /bin/ls); idea & ok markus@

Use execvp instead of execv so sftp -S ssh works. "makes sense" markus@

initialize pointers, ok markus@

exit -> _exit in forked child on error; from andrushock AT korovino.net

gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while
waiting for a command; ok markus@

branches: 1.45.2;
Fix initialisation of progress meter; ok markus@

sftp.c and sftp-int.c, together at last; ok markus@

Remove useless headers; ok deraadt@

switch to license.template for code written by me (belated, I know...)

reorder parsing so user:skey@host:file works (bugzilla #777)
patch from admorten AT umich.edu; ok markus@

initialise infile in main, rather than statically - from portable

Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and
enable use of "-b -" to accept batchfile from stdin; ok markus@

scp and sftp: add options list and sort options. options list requested
by deraadt@
sshd: use same format as ssh
ssh: remove wrong option from list
sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)

ok deraadt@ markus@

branches: 1.37.2;
sync usage with manpage, add missing -R

kill ssh process on receipt of signal; ok markus@

Teach ls how to display multiple column display and allow users to return
to single column format via 'ls -1'. OK @djm

branches: 1.34.2;
sftp progress meter support.
original diffs by Nils Nordman <nino at nforced dot com> via markus@, merged
to -current by me, djm@ ok.

Cleanup error handling for batchmode
Allow blank lines and comments in input
Ability to suppress abort on error in batchmode ("-put blah")

Fixes mindrot bug #452; markus@ ok

allow usernames with embedded '@', e.g. scp user@vhost@realhost:file /tmp;
http://bugzilla.mindrot.org/show_bug.cgi?id=447; ok mouring@, millert@

branches: 1.31.2;
FallBackToRsh does not exist anywhere else. Remove it from here. OK deraadt.

bunch of u_int vs int stuff

branches: 1.29.2;
always call log_init()

check waitpid for EINTR; based on patch from peter@ifm.liu.se

KNF whitespace

Perform multiple overlapping read/write requests in file transfer. Mostly
done by Tobias Ringstrom <tori@ringstrom.mine.nu>; ok markus@

sync usage() with manual.

markus@ ok

Add "-B" option to specify copy buffer length (default 32k); ok markus@

Add "-P" option to directly connect to a local sftp-server. Should be useful
for regression testing; ok markus@