clone #333 -1 reassign -1 python-x2go retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc thanks Hi All, On Di 29 Okt 2013 13:36:14 CET, Mike Gabriel wrote: > Hi All, > > Dan Halbert made me aware of it being easily possible to inject > arbitrary data into X2Go Client via the server-side .bashrc file. > This surely is a security problem in X2Go. > > Thus, I found that we really need to do some sanity checks on > incoming output from X2Go Servers to avoid such injections. > > The idea is to invoke the server-side command with a UUID hash > before and after the actuall command invocation: > > 1. execute server-side command from X2Go Client: > > ssh @ sh -c "echo && && echo > > 2. read data from X2Go Server: > > X2GODATABEGIN: > > > .... > > X2GODATAEND: > > 3. cut out the X2Go data returned by the server (in C++): > > QString begin_marker = "X2GODATABEGIN:"+uuid+"\n"; > QString end_marker = "X2GODATAEND:"+uuid+"\n"; > int output_begin=stdOutString.indexOf(begin_marker) + \\ > begin_marker.length(); > int output_end=stdOutString.indexOf(end_marker); > output = stdOutString.mid(output_begin, \\ > output_end-output_begin); > > > I have a patch locally for this and will commit it in a minute. We > can discuss the patch and move on from there when it's there. > > Unfortunately, this patch does not fix #327 as it is impossible to > use scp with echoing .bashrc files. With this patch applied, the > session starts, but setting up the SSHfs shares fails with locking > up X2Go Client. > > For people who depend on echoing .bashrc files, please read my last > post on #327. > > Mike This actually also applies to Python X2Go. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb