Hi All,

Dan Halbert made me aware of it being easily possible to inject  
arbitrary data into X2Go Client via the server-side .bashrc file. This  
surely is a security problem in X2Go.

Thus, I found that we really need to do some sanity checks on incoming  
output from X2Go Servers to avoid such injections.

The idea is to invoke the server-side command with a UUID hash before  
and after the actuall command invocation:

1. execute server-side command from X2Go Client:

ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>

2. read data from X2Go Server:

X2GODATABEGIN:<uuidhash>
<x2godata_line1>
<x2godata_line2>
....
<x2godata_lineN>
X2GODATAEND:<uuidhash>

3. cut out the X2Go data returned by the server (in C++):

       QString begin_marker = "X2GODATABEGIN:"+uuid+"\n";
       QString end_marker = "X2GODATAEND:"+uuid+"\n";
       int output_begin=stdOutString.indexOf(begin_marker) + \\
                        begin_marker.length();
       int output_end=stdOutString.indexOf(end_marker);
       output = stdOutString.mid(output_begin, \\
                                 output_end-output_begin);


I have a patch locally for this and will commit it in a minute. We can  
discuss the patch and move on from there when it's there.

Unfortunately, this patch does not fix #327 as it is impossible to use  
scp with echoing .bashrc files. With this patch applied, the session  
starts, but setting up the SSHfs shares fails with locking up X2Go  
Client.

For people who depend on echoing .bashrc files, please read my last  
post on #327.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb