Package: x2goclient

x2goclient assumes the path to its application data directory does not have any spaces or single-quotes, but these are legal path directories for users on Windows systems. As a result, if the path to the x2go directory contains spaces or apostrophes (C:/Users/O'Regan, for instance), the call will fail. I have experienced this error and can reproduce the failure behavior by calling ssh-keygen from the terminal.

The fix, I think, is to add double quotes to open and close the "private_key_file" string sent to ssh-keygen on onmainwindow.cpp, line 11353, or to apply a dedicated sanitization function.

Testing in the terminal:
ssh-keygen -f C:\Users\O'Regan\.x2go\etc\mykeyfile will fail.
ssh-keygen -f "C:\Users\O'Regan\.x2go\etc\mykeyfile" will succeed.

There may be other places/program calls that also need sanitizing.

This is also potentially security issue since it lets the program caller influence what arguments are sent to generate an SSH key by altering the "HOME" environment variable queried by qt in line 185 from QDir::homePath(). (I'm not sure how easy it is to change this or related environment variables mid-session, but I imagine it might be possible). The path appears as the final argument to ssh-keygen, so it will also overrule the preceding arguments. For instance, I could reduce the bit count for the key or key type to make the credential easier to brute-force.

I am using Windows 11.

Thank you,