Received: (at submit) by bugs.x2go.org; 16 Dec 2014 23:07:11 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=ham
	version=3.3.2
X-Greylist: delayed 1321 seconds by postgrey-1.34 at ymir.das-netzwerkteam.de; Wed, 17 Dec 2014 00:07:08 CET
Received: from thetower.ra09.com (ra09.com [202.124.104.240])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id E1C145DB1C
	for <submit@bugs.x2go.org>; Wed, 17 Dec 2014 00:07:08 +0100 (CET)
Received: from localhost ([127.0.0.1] helo=private.ra09.com)
	by thetower.ra09.com with esmtp (Exim 4.80)
	(envelope-from <alavaliant@ra09.com>)
	id 1Y10rW-0002Dr-L9
	for submit@bugs.x2go.org; Wed, 17 Dec 2014 11:45:02 +1300
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_07075d413da3260236ab2776f53045a7"
Date: Wed, 17 Dec 2014 11:45:02 +1300
From: Jason Alavaliant <alavaliant@ra09.com>
To: submit@bugs.x2go.org
Subject: client sends password to http broker without percent encoding
 special characters such as &
Message-ID: <56e6e11db7c4583666eebe1811f3d98b@private.ra09.com>
X-Sender: alavaliant@ra09.com
User-Agent: Roundcube Webmail/1.0.2

--=_07075d413da3260236ab2776f53045a7
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
 format=flowed

Package: x2goclient
Version: 4.0.3.1
Severity: grave
Tags: patch

I've just setup an x2go load balanced setup using x2gobroker (http 
connection - x2goclient --broker-url=http://server:8080/plain/inifile),  
   after putting it into production we found a number of our users had 
their passwords rejected when trying to sign into the x2go client to 
access the broker.

Tracing through the traffic/logs   we found that the problem is that 
password values were being set unencoded to the broker,   so for example 
if there was an & present in a password the form data was submitted in 
the form of

task=listsessions&user=user&password=mypass&word&authid=

which resulted in the data being read by the server as the pasword being 
mypass   rather than  mypass&word

The attached patch in my testing (done on Linux) fixes the client so 
data is correctly escaped so the above example would be submitted as


task=listsessions&user=user&password=mypass%26word&authid=

which is correctly parsed as the password being mypass&word
and allows the login to work.


If we could get an indication of when this fix is likely to make a 
client release it would appreciated since we currently don't have 
Windows and OSX builds with the patch and are trying to workout if it's 
worth the time of setting up development workstations to be able to 
compile the client for those platforms vs just waiting for the next 
client release.

Thanks for your time.
Jason
--=_07075d413da3260236ab2776f53045a7
Content-Transfer-Encoding: base64
Content-Type: text/x-diff;
 name=x2go-client-broker-httpauth-encoding-fix.patch
Content-Disposition: attachment;
 filename=x2go-client-broker-httpauth-encoding-fix.patch;
 size=2039

LS0tIG5ldy9odHRwYnJva2VyY2xpZW50LmNwcAkyMDE0LTEyLTE3IDA5OjUzOjU5LjQxMjU2NjIw
NiArMTMwMAorKysgb2xkL2h0dHBicm9rZXJjbGllbnQuY3BwCTIwMTQtMTItMTcgMDk6MzA6Mjcu
NzMzNzUyMDAwICsxMzAwCkBAIC0yNTEsOCArMjUxLDggQEAKICAgICAgICAgUVN0cmluZyByZXE7
CiAgICAgICAgIFFUZXh0U3RyZWFtICggJnJlcSApIDw8CiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICJ0YXNrPWxpc3RzZXNzaW9ucyYiPDwKLSAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgInVzZXI9Ijw8YnJva2VyVXNlcjw8IiYiPDwKLSAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgInBhc3N3b3JkPSI8PGNvbmZpZy0+YnJva2VyUGFzczw8IiYiPDwKKyAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgInVzZXI9Ijw8UVVybDo6dG9QZXJjZW50RW5jb2RpbmcoYnJva2VyVXNl
cik8PCImIjw8CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJwYXNzd29yZD0iPDxRVXJs
Ojp0b1BlcmNlbnRFbmNvZGluZyhjb25maWctPmJyb2tlclBhc3MpPDwiJiI8PAogICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAiYXV0aGlkPSI8PG5leHRBdXRoSWQ7CiAKICAgICAgICAgeDJn
b0RlYnVnIDw8ICJzZW5kaW5nIHJlcXVlc3Q6ICI8PCByZXEudG9VdGY4KCk7CkBAIC0yOTAsOCAr
MjkwLDggQEAKICAgICAgICAgUVRleHRTdHJlYW0gKCAmcmVxICkgPDwKICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgInRhc2s9c2VsZWN0c2Vzc2lvbiYiPDwKICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgInNpZD0iPDxzZXNzaW9uPDwiJiI8PAotICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAidXNlcj0iPDxicm9rZXJVc2VyPDwiJiI8PAotICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAicGFzc3dvcmQ9Ijw8Y29uZmlnLT5icm9rZXJQYXNzPDwiJiI8PAorICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAidXNlcj0iPDxRVXJsOjp0b1BlcmNlbnRFbmNvZGluZyhicm9r
ZXJVc2VyKTw8IiYiPDwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInBhc3N3b3JkPSI8
PFFVcmw6OnRvUGVyY2VudEVuY29kaW5nKGNvbmZpZy0+YnJva2VyUGFzcyk8PCImIjw8CiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICJhdXRoaWQ9Ijw8bmV4dEF1dGhJZDsKICAgICAgICAg
eDJnb0RlYnVnIDw8ICJzZW5kaW5nIHJlcXVlc3Q6ICI8PCByZXEudG9VdGY4KCk7CiAgICAgICAg
IFFOZXR3b3JrUmVxdWVzdCByZXF1ZXN0KFFVcmwoY29uZmlnLT5icm9rZXJ1cmwpKTsKQEAgLTMy
NCw5ICszMjQsOSBAQAogICAgICAgICBRU3RyaW5nIHJlcTsKICAgICAgICAgUVRleHRTdHJlYW0g
KCAmcmVxICkgPDwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInRhc2s9c2V0cGFzcyYi
PDwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm5ld3Bhc3M9Ijw8bmV3UGFzczw8IiYi
PDwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInVzZXI9Ijw8YnJva2VyVXNlcjw8IiYi
PDwKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgInBhc3N3b3JkPSI8PGNvbmZpZy0+YnJv
a2VyUGFzczw8IiYiPDwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIm5ld3Bhc3M9Ijw8
UVVybDo6dG9QZXJjZW50RW5jb2RpbmcobmV3UGFzcyk8PCImIjw8CisgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICJ1c2VyPSI8PFFVcmw6OnRvUGVyY2VudEVuY29kaW5nKGJyb2tlclVzZXIp
PDwiJiI8PAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicGFzc3dvcmQ9Ijw8UVVybDo6
dG9QZXJjZW50RW5jb2RpbmcoY29uZmlnLT5icm9rZXJQYXNzKTw8IiYiPDwKICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgImF1dGhpZD0iPDxuZXh0QXV0aElkOwogICAgICAgICB4MmdvRGVi
dWcgPDwgInNlbmRpbmcgcmVxdWVzdDogIjw8IHJlcS50b1V0ZjgoKTsKICAgICAgICAgUU5ldHdv
cmtSZXF1ZXN0IHJlcXVlc3QoUVVybChjb25maWctPmJyb2tlcnVybCkpOwo=

--=_07075d413da3260236ab2776f53045a7--