From unknown Mon May 18 23:27:07 2026 MIME-Version: 1.0 X-Mailer: MIME-tools 5.502 (Entity 5.502) X-Loop: owner@bugs.x2go.org From: owner@bugs.x2go.org (X2Go Bug Tracking System) Subject: Bug#335 closed by Mike Gabriel (X2Go issue (in src:python-x2go) has been marked as closed) Message-ID: References: <20140108142934.8C04E5DCD5@ymir> X-X2go-PR-Keywords: confirmed pending X-X2go-PR-Message: they-closed 335 X-X2go-PR-Package: python-x2go X-X2go-PR-Source: python-x2go Date: Wed, 08 Jan 2014 14:35:03 +0000 Content-Type: multipart/mixed; boundary="----------=_1389191703-766-0" This is a multi-part message in MIME format... ------------=_1389191703-766-0 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 This is an automatic notification regarding your Bug report which was filed against the python-x2go package: #335: Users can inject arbitrary data into Pyhoca-GUI via .bashrc It has been closed by Mike Gabriel . Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Mike Gabriel by replying to this email. --=20 X2Go Bug Tracking System Contact owner@bugs.x2go.org with problems ------------=_1389191703-766-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at control) by bugs.x2go.org; 8 Jan 2014 14:30:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS autolearn=unavailable version=3.3.2 Received: by ymir (Postfix, from userid 1005) id 8C04E5DCD5; Wed, 8 Jan 2014 15:29:34 +0100 (CET) From: Mike Gabriel To: 335-submitter@bugs.x2go.org Cc: control@bugs.x2go.org, 335@bugs.x2go.org Subject: X2Go issue (in src:python-x2go) has been marked as closed Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-Id: <20140108142934.8C04E5DCD5@ymir> Date: Wed, 8 Jan 2014 15:29:34 +0100 (CET) close #335 thanks Hello, we are very hopeful that X2Go issue #335 reported by you has been resolved in the new release (0.4.0.9) of the X2Go source project »src:python-x2go«. You can view the complete changelog entry of src:python-x2go (0.4.0.9) below, and you can use the following link to view all the code changes between this and the last release of src:python-x2go. http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=62f82b9324d1ed8240af1ad0bf0e5ff82f08ee49;hp=000e5e38e26713f485314365486d05b93100a189 If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:python-x2go. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:python-x2go Version: 0.4.0.9-0x2go1 Status: RELEASE Date: Wed, 08 Jan 2014 15:14:16 +0100 Fixes: 329 330 335 Changes: python-x2go (0.4.0.9-0x2go1) RELEASED; urgency=low . [ Mike Gabriel ] * New upstream version (0.4.0.9): - Agent channels in Paramiko can raise an EOFError if the connection has got disrupted. Ignoring this. - Store the session password in base64 encoded string in order to make it harder spotting the long term stored (for the duration of the session) plain text password. - Support encryption passphrases on SSH private key files (X2Go SSH connections as well as SSH proxy connections). - Invalidate SSH private keys (filename, pkey object) when look_for_keys is requested. - Keep private key information even if force_password_auth is set in the control session's connect() method. - Fix parameter handling in X2GoSession.connect(). - Rewrite passwords that are not string/unicode to an empty string. - No Unicode chars in log messages. Eliminated one more in checkhosts.py. - Implement two-factor authentication. - Compat fix in _paramiko monkey patch module to also work with early Paramiko versions. - Handle echoing ~/.*shrc files gracefully via SSH client connections. Do not allow data injections via ~/.*shrc files. (Fixes: #335). - Properly handle (=expand) the "~" character in key filenames. (Brought to attention by Eldamir on IRC. Thanks!). - Differentiate between desktop sharing errors and desktop sharing access that gets denied by the other/remote user. - Report about found session window / session window retitling in debug mode. - Fix session window detection when local session manager is the i3 session manager (which uses _NET_CLIENT_LIST_STACKING instead of _NET_CLIENT_LIST). - Check for pulse cookie file in old (~/.pulse-cookie) and new (~/.config/pulse/cookie) location. - Import python-x2go-py3.patch from Fedora. Thanks to Orion!!! - Improve setup.py script: make it run with Python3 and older Python2 versions. - Fix tests for two-factor authentication in control session and SSH proxy code. - Fix regression: Make password logins with PyHoca-CLI succeed again. - Make channel compression to all authentication methods. - Set keepalive on proxy channel. - Only use []: if is not 22. - Handle host key checks for hosts that do not have a port specified. * debian/source/format: + Switch to format 1.0. * python-x2go.spec: + Ship python-x2go.spec (RPM package definitions) in upstream project. (Thanks to the Fedora package maintainers). + Clear (Fedora package) changelog. + Drop dependency on python-cups. . [ Orion Poplawski ] * debian/control: + Drop python-cups from Depends: field. Python CUPS is no dependency if Python X2Go. (Fixes: #329). . [ Kenneth Pedersen ] * New upstream version (0.4.0.9): - Color depth detection: Stop using win32api.GetSystemMetrics(2) which actually returns the width of a vertical scroll bar in pixels. Instead, create a screen display context and query it for the color depth. (Fixes: #330). ------------=_1389191703-766-0 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by bugs.x2go.org; 21 Oct 2013 12:41:43 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_00,HTML_MESSAGE, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_BLOCKED autolearn=no version=3.3.2 X-Greylist: delayed 4199 seconds by postgrey-1.34 at ymir; Mon, 21 Oct 2013 14:41:42 CEST Received: from smtp122.dfw.emailsrvr.com (smtp122.dfw.emailsrvr.com [67.192.241.122]) by ymir (Postfix) with ESMTPS id DBE4A5DB16 for ; Mon, 21 Oct 2013 14:41:42 +0200 (CEST) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp12.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 14F15300DC for ; Sat, 19 Oct 2013 12:22:47 -0400 (EDT) X-Virus-Scanned: OK Received: from smtp66.iad3a.emailsrvr.com (smtp66.iad3a.emailsrvr.com [173.203.187.66]) by smtp12.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTPS id E72D230335 for ; Sat, 19 Oct 2013 12:22:46 -0400 (EDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 07F02600BB; Sat, 19 Oct 2013 12:22:44 -0400 (EDT) X-Virus-Scanned: OK Received: from app40.wa-webapps.iad3a (relay.iad3a.rsapps.net [172.27.255.110]) by smtp1.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id DB48D600B8; Sat, 19 Oct 2013 12:22:43 -0400 (EDT) Received: from halwitz.org (localhost.localdomain [127.0.0.1]) by app40.wa-webapps.iad3a (Postfix) with ESMTP id 9C18F300044; Sat, 19 Oct 2013 12:22:43 -0400 (EDT) Received: by beta.apps.rackspace.com (Authenticated sender: halbert@halwitz.org, from: halbert@halwitz.org) with HTTP; Sat, 19 Oct 2013 12:22:43 -0400 (EDT) Date: Sat, 19 Oct 2013 12:22:43 -0400 (EDT) Subject: x2go client crashes if .bashrc prints anything From: "Dan Halbert" To: submit@bugs.x2go.org MIME-Version: 1.0 Content-Type: multipart/alternative;boundary="----=_20131019122243000000_69938" Importance: Normal X-Priority: 3 (Normal) X-Type: html Message-ID: <1382199763.63727452@beta.apps.rackspace.com> X-Mailer: webmail7.0 ------=_20131019122243000000_69938 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =0APackage: x2goclient=0AVersion: 4.0.0.3=0A =0AIf I put an=0Aecho "testing= " # exact text doesn't matter=0A =0Aat the top of my .bashrc, then the x2= goclient crashes immediately when trying to start a session.=0A =0A(The cra= sh does not occur if I put a similar statement in .bash_login.)=0A =0AI hav= e reproduced this on the Windows client; I believe a colleague saw it on bo= th the Windows and Linux clients.=0A =0AThe x2go server being used is 4.0.= 1.6-0~712~precise1.=0A=0A ------=_20131019122243000000_69938 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Package: x= 2goclient

=0A

Version: 4.0.0.3

=0A

 

=0A

If I put an

=0A

echo "testing" &nb= sp; # exact text doesn't matter

=0A

&nbs= p;

=0A

at the top of my .bashrc, then th= e x2goclient crashes immediately when trying to start a session.

=0A

 

=0A

= (The crash does not occur if I put a similar statement in .bash_login.)

= =0A

 

=0A

I have reproduced this on the Windows client; I believe a colleague = saw it on both the Windows and Linux clients.

=0A

 

=0A

The x2go server bei= ng used is  4.0.1.6-0~712~precise1.

 ------=_20131019122243000000_69938-- ------------=_1389191703-766-0--