From mike.gabriel@das-netzwerkteam.de Tue Oct 29 14:41:48 2013 Received: (at control) by bugs.x2go.org; 29 Oct 2013 13:41:56 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=unavailable version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 979A05DA6C; Tue, 29 Oct 2013 14:41:48 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 5E0021333; Tue, 29 Oct 2013 14:41:48 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 36D053BB58; Tue, 29 Oct 2013 14:41:48 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LdvFXATQckzD; Tue, 29 Oct 2013 14:41:48 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 147C53BB68; Tue, 29 Oct 2013 14:41:48 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id DAE133BB58; Tue, 29 Oct 2013 14:41:47 +0100 (CET) Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Tue, 29 Oct 2013 13:41:47 +0000 Date: Tue, 29 Oct 2013 13:41:47 +0000 Message-ID: <20131029134147.Horde.pdvnenhY0dXSzSektCXoKg9@mail.das-netzwerkteam.de> From: Mike Gabriel To: 333@bugs.x2go.org, control@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#333: Users can inject arbitrary data into X2Go Client via .bashrc References: <20131029123614.Horde.P9zSu3_8i0FBDAWAhaTBkg4@mail.das-netzwerkteam.de> In-Reply-To: <20131029123614.Horde.P9zSu3_8i0FBDAWAhaTBkg4@mail.das-netzwerkteam.de> User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 134.245.254.47 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_US6nxoH-O34Mp1XllffN3g1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_US6nxoH-O34Mp1XllffN3g1 Content-Type: multipart/mixed; boundary="=_ZMJO38vve21WwGtBlJljYw2" This message is in MIME format. --=_ZMJO38vve21WwGtBlJljYw2 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline clone #333 -1 reassign -1 python-x2go retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc thanks Hi All, On Di 29 Okt 2013 13:36:14 CET, Mike Gabriel wrote: > Hi All, > > Dan Halbert made me aware of it being easily possible to inject > arbitrary data into X2Go Client via the server-side .bashrc file. > This surely is a security problem in X2Go. > > Thus, I found that we really need to do some sanity checks on > incoming output from X2Go Servers to avoid such injections. > > The idea is to invoke the server-side command with a UUID hash > before and after the actuall command invocation: > > 1. execute server-side command from X2Go Client: > > ssh @ sh -c "echo && && echo > > 2. read data from X2Go Server: > > X2GODATABEGIN: > > > .... > > X2GODATAEND: > > 3. cut out the X2Go data returned by the server (in C++): > > QString begin_marker = "X2GODATABEGIN:"+uuid+"\n"; > QString end_marker = "X2GODATAEND:"+uuid+"\n"; > int output_begin=stdOutString.indexOf(begin_marker) + \\ > begin_marker.length(); > int output_end=stdOutString.indexOf(end_marker); > output = stdOutString.mid(output_begin, \\ > output_end-output_begin); > > > I have a patch locally for this and will commit it in a minute. We > can discuss the patch and move on from there when it's there. > > Unfortunately, this patch does not fix #327 as it is impossible to > use scp with echoing .bashrc files. With this patch applied, the > session starts, but setting up the SSHfs shares fails with locking > up X2Go Client. > > For people who depend on echoing .bashrc files, please read my last > post on #327. > > Mike This actually also applies to Python X2Go. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_ZMJO38vve21WwGtBlJljYw2 Content-Type: application/pgp-keys Content-Description: =?utf-8?b?w5ZmZmVudGxpY2hlciA=?= =?utf-8?b?UEdQLVNjaGzDvHNzZWw=?= -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.14 (GNU/Linux) mQINBFAI/RwBEAC882z9DZ0OqvdoswfZD6sWlHH43iTc2QUibyHEhz/Jov8UQLPK qUncNd9QMcQ3zp2NnU9tS4j5IY/QPcBMR96ZNdl9PWpV/Ubs6yZ9PK2/DBt3Noos FZUN2KrHbnbED5zf9sEHyRuBTnDtVRtskQlaFreX5NSZ1ndqJrC1Uqm64Mf+0mC8 7D1QRlNkH7OQmMK+u6EN8a1IZae7mDzzStgzvbvm1BZ6XDJ6ThNckvGEhgSbPF16 9zfW6a0mdlOjkmW50VIQg3wjtVHxlIYqFnH4KGp2kYslJR3SIB7ntbNW1wVQm8d2 vAnnnzXWNFFuIqOj7z6ylIL9lVTPEBen3rgDsha7/YCR5d4Kez4piKKbAMBxeSxZ yzz90YRtp/zIqjotfQt6Q05mAi9xVfvbi+XKBcGtoU89g5aekFi7bkrpxDB/JCAA VaLz0Mrpz0/33Pffhnf5a9JUvk6UhNmYBEknLn7fuO3WF0Q6Q58QvMYvHxpxAr3X nywyYFic8o71lxWB8D/Y2bhwHE3098BJhI80DLznx7cmuInORg0AnV5AArkdCBNa p+bh0rVbQXxOzKT3ETPkKBKbMRhAWtCiQfGGzOzVvtGzMw+yZMnGIEfJ7Dqe5URF rvRPJYlIJLPsa3josVtIMjaeK6xIG2o7c8qN/H89nNyplQkt+Vx28x3dewARAQAB tC9NaWtlIEdhYnJpZWwgPG1pa2UuZ2FicmllbEBkYXMtbmV0endlcmt0ZWFtLmRl PokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMAUJCsIk hAAKCRCa9GswJXcbMYLlD/9Ov0PPICrmOD5LG2W3eF/bEqSd5Lnvc0njkI0IOKhJ Ww/jjGcQpnclfxsDNIvhXtHcZHL3b50320p7neKL/MaO6NYRo+UMkOzmwsEFQL3b 6Cea70QRgvn+cxjpnDP5a5wLKyiezwE3GdlPV2+Aohlq1BrY1N3OAVby5/QylYoz Ezb4zlhg2ncvp3N4FZh7BBDkaK1d+ZObBP/uxrkwoapAXqp4S8iSE46d2/R1W20v 7edGN21+qi8DkKI69hTzo4OgyRPwF0LIQnJlGL0eI0cMA1P1SqJpLePKPPFPqHYY haBvDlGXWVwEflKBNh06CqT7fwi7nnRV7EkIP+kXDYYGxn05DsFqIbNB2fFRrPaO 4x2NCE7eCU9kf1Xazv6MRGudzTndeFGFKyqIrx4fRZHnrytL11vxxGw207mx/TCx +6zQwwGu3bMtv9QUnEjDvZWXkMU+emz7kDjg+3Bnb9lC78zKJRWXSpp3StTgMFi5 Cu+QzVVkzywEqmNzcLySIoyFqjUhhvVlXTQjzNU1JI3hRETG/sRQmftsIJNJQFf3 0/euiRD48rQvjH9s82sniUCI+l+DXUOyFkGofz5045Q7z8gky+W98q/c7Y8YG1d6 Cba1Im2tMaiR2m/jUzai1T3q+7AmdKxCVELvxpaSDSKLWR+UxVR8yjirhmGtwo1L eIkCQAQTAQgAKgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCUWUgKQUJ CsIkhAAKCRCa9GswJXcbMSVTEACKK4yB3eZJHV1F2bm8lvJCYsqhnuxmIGrZgXPa Apv2gItUdqiaHLTboa0MFIfhT29tJ7FYSD3xto9VX7tocegoUoRct+YVFiubiqge PTe1GU7eNER5i3UyG+b/o8jhDAQzv+GDH8jPFQ3CfbR5DyW9JMhncKbOrCtSI0Zy s2QdGjZJf22wUdkJF67Aac/Ohktjg/Lriv/swZXo4azE3BoCfPBVnxqQ0f5Cno/J NyLDRYEHvU6+vRsX0nsfmLi8AMYu0OD2/WSluRDLUK59fumBJSHNdxxnQ0aU4pZk FvLvP6XVG/RjnLiYpzTi78cSNLzcTxC2GqrZh4s6NVho70ZVhyAc8xFp2zcoD/YT iOI8cbetnxWDtMOY9i+0GKYK/FAlUkBhcKPKJfpWcBxGsUnV5XI2XDKMsL1sQafo eYz0afVcXEOnNoHiwJ2/Ez6G+TrJU8cSNsLd3eClimIoRNLUE0m4eE+SnVJSJxeq VlJhTFAtILSJ75u+N+SoP5d+PZc1aR88M3oVbjbNkQlVxqah6Ag5Tg/mOKX5lsbx Par35hhpQU1YukRDOFoAcvry79yp+Kh+OU/S3TNp2z6epTgAoSwZz+k+s9R/WG5s qUEarWQLbOM3J7740qkrvz7C949fgXO4GwLBl6p4skQZonIFNqp6QlqIUsTATlDu 94h2GLQwTWlrZSBHYWJyaWVsIDxtaWtlLmdhYnJpZWxAaXQtenVrdW5mdC1zY2h1 bGUuZGU+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJRZSAw BQkKwiSEAAoJEJr0azAldxsxfC8P/3hCWeFjbOp4tXfHTJy/C6d+vSIfUEwJ8RmV uMp7VledcGN9NffT3F1Qw+x9jX37M0kqa4RdAl2hes6h1c0fMUG/imAFpVt17E7k PT5BrTz4jMqRQAU0JHnuos0F2MiaoWc5/w22W8vwmj+NrdL8Bagu3OYUV66KGaIO YDsWLCw6Qqaj33on4AqAOcnsylvNyrV0zttB0x9ZvIY8sDPpgkfZ5iyA/eRBqlsc 1UShbbN7ucirfN5vJFnOXGTKABIVis/29o56KvlT571WRPK56H3U6U6f3402+gjW vaAYKTm5Ma8MelzPciXRVEj7CMWJ7+CvlRTUaOuPQfwDxPTLAE6K8t7Dbo8SCuai MYDLfd5cAO5Fs3zwdO0QOgnc/RUT/vKT6d/iskFdTXuMr3iNBuEOt0jW2elP3OeA OMKcITryYQZ73uOlDnns3P+WDDezMMMUHNoboy4mO7G3SKXsLCaJHXF1Meg/NWwN 0W38vLnHyqABlN2F3KwoXtCQzeJE6j3kVD76hAyL2KoSmB55UXP9mdfSwe17XUnS BEyYzdBdoJIlPKVTh8EzcNwHcxOCNMbV9FEFaNAVpBp5tDrkO6Og+XE+wohTJJAj fRSLD76+0O3jhYqbnqxsxaOMrtazxQv0mB2+ZNa4MoZWIBOzeA1SncZhAOdoqhgs eL3HVU3QtCxNaWtlIEdhYnJpZWwgPG0uZ2FicmllbEBkYXMtbmV0endlcmt0ZWFt LmRlPokCPQQTAQgAJwIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAUCUWUgMQUJ CsIkhAAKCRCa9GswJXcbMekMD/9KeqniddnMyKAz9pLbY94YpkmRizhygOnLhxL+ Q3m68vKHfaexDGSa2SXiSOqY1DBeDbj8VQbwJfSu7TDN6JHzvoa6p9IufrkHwJzt bI4gz+GsGBlJsCD/2/tEf9AqKwnxPNK+5RmED4rKyG9uCs3Sdvte30ZF3yQia6JU zgDwCGMCWwNJUe+Diya7oOpW0R+O+T3Lyt7PGqi9xndC/pIZBPybysTzq+GLu1mj e7BNlSU8wc0AcVMIBusGPdby9uTCfN5/dPTlb5g0oOAg0lc381HsrUQYTP+pGPCJ azkz7GkTWJnarMEk1OTUVdjpXd5oW6Zn1JVI06VlpxV1D7lixtBXk1alwecj4TZP bAl4qVNloNX7J7FOWK2o58qXiNU56i9RhmurFMes4O66WvznGaUMH9RW/Agd6SVV Su+Obu7fvIg1W5tJ6wtkXWSMYebro9zmBcTnIC61VRqIgHW/miqw69Ds0KpNPW0I yxUUzuq+g+gby4PwF2RhAIKCE324JMVl7cCexobHuO/pB3PFv7Fo0lcAQ1S6W72l C+ksgQHVzpLDTRl9PYF+nmI7T/70orhN+J7zxzV2Zuu+iJSTA/DAIGN9o9CNJdwt P0Y+m3FQUYuMk7NyIdSYqYPuCa8NqOn/Z1oN/VDIstF0JuCwN+wZcr3B/+5B+tLF m+NGubQdTWlrZSBHYWJyaWVsIDxtaWtlQHVidW50dS5kZT6JAj0EEwEIACcCGwMF CwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlFlIDEFCQrCJIQACgkQmvRrMCV3GzHv SBAAsLX0Y3ov6kKk1tfYms+V51+1rqCcAn6Dm5Zj+CUnMmsxAkJoDqsStrKaEh6H aJglVg8+ddvHU7Hd9f/rALRttpMEN8crIYugv2PevK2u4+WAxyCuTqM+CQyRLaSo o0ndfDqc5NCZggKD3Xr3RNUQgmNqIaXuGeVG2BqEaPreurP2MYpakYJYTgRkj10z p+srw0RujzCOyq2t4r0JkElEJQx1eTXnxo1ByOO0E8kZkN9hQ9Jg0a34EwGvxqk4 qXfb8rQM5qFQRymOI2OCKvjb7ehkaQZR9nSobVQtFWRX5cVauZL5pmfOmHl+tjwn qSMiR9+fdulOTLZ7jsr1JBYb4czs1y7ShbbcZD1BCvF17oNGqi2up27jDD290jJU xBy7Z0RkWlPRsFO2B/9d1ic7arYIDjN4PZETMXIogVp9doaU9M+t3vWK7nEf8/1+ dNuyBLZBgFbGt9zOnoeLqFlhUQVHlJjpjjwn1CvfPIBd6eAiyfa4OE7YAkZySu2E pazJ02xDw+DJ+8NVGFqQrbOc9JN/Vc9zusrf4YTxxWRbSysR8QgrTjF5WPy4CbAo QoS8qGrWnNuOn8YJ/d5z6icOd7VGNjCRREEyAVXU1kIQUXbIJWuUjyYNWdzoaLWx qIt+CB/bcQDngqjUEDZ2CZkWNL58vd8aAXjprqRElB2hvtK0I01pa2UgR2Ficmll bCA8c3Vud2VhdmVyQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRSD+9AhsDBgsJCAcD AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCa9GswJXcbMYtjEAClP1Fz+ID1p8RxxCeR jYjL1oeeLRwXTuIS1wQfeAoz5wbLMMn/HsKKQ2YDebxzhiroW7Moa0FMO++O9Wmd ua9rVwV1g4qShrmDzSwWmRBrowlAav0IbcCM2vcbi845tSyGWmR2i6bJZpK8NZAS Cug5hijNdXwRVfAmNGFElcIXC1aa6U2kIVuh45tG/IuO5YmZWC5LQdK8VgTLs/yk HBlNt8sdo7TgzRpKHmEZG1jCpmYRuxgJPTroPdzvwqTKamh+LIqC8Z+E9pGlZeQf 44dKpvHJuSdEy1UBTOnvCiRgFP4ZX735Arc9WA83qFzrNFjLiy3zNQp9pcCdBY2x aLhsyfG8EBtZE9GXEgc52EuTqDZSAyBi5IeRcG7FvdHvLV8zypEHK3Hn9g3Eq2OS PDOw6/EL7KnVbhvogEujPlgD3wJW0FItrE6iR05TAeK0jE0gUBNMzGnyUbFRxJZX RTHEsFyIc9oMqoNEUOSblH8cgGY+HLEWFWaqfkTLBC6kVKP/RxZOVypNvtHZn86q 85x6XucfCoBpVqRzrHmOcAXuA6YHGEamoK7OdvkOrV1Nc1OMxYWnxG/4WYjokxEc Hx2Jg7CAlzi1/NFHAQD4o9TJaAraQjy0nqFiobHHzyLmiPBDKMfjTXdsSRjjVm3k m5mV6Bpy15KNVamTcINasFCChbkCDQRQCP0cARAAocrlXanxu815kLU6zhFP6Jp3 sQHcTRXucq28BgWf7Dz8galugBPTEEdKTkrxxAiSGZ3iHEJsmW8H4XNy56Jh+jpL OqW0+4RvPc6Eemv1MzgfdAuEkKNA+3ar3ETqhVnn54olI6rMo0FulDCopNE/0LIC AjSLekPXTlPj2swClmyl35hXJYiTgtwwLCkoQHMxz2L1+igyoGdR/O3lEwQJ1pI7 oaanWV8fda4jQkLpDf1q6bY2tEdUZx2uR5J79pjpjNkxpCbD1TvGRWjekkZP9Yi7 4ZgtyTh86hAPVP1x30a7/Hb0ysfeqJ63f8sQEqLtrfjPYO0IRoaPvL/RXxXrO2nV RMmLVeeho6GHk0LqubfA8gzZ1Vu9Rfag1EMMNy6ZkvdHNJm8sSaec90tn59aPLUP taBe5d4Ji6tlpJu2ez75A6tmt3JMDrQ6crfN5eZ0ISAGHwWHN9SPDhAcVcGBZrKQ QQaKIcQ2gVbGcnO3lOCY4MkxgyCiJX+MepnWOpvB2pyv4ftJLv7rxfOQ3Z/3yewS GRfwrT+AW/i1jcW/C+c5sLZPGFtG8gBXPwUj2CYbAGI74eFhGk6Ksu3f2qxFOVDM IJdiBJatEYojN64Gzap2nzZfhUHPqOnBeI/cL+Z/YbakUuIAcva3o1UuOLvGg+Fo 9kFdPLDXRhPOqMywdDUAEQEAAYkCHwQYAQgACQUCUAj9HAIbDAAKCRCa9GswJXcb MZubEAC8GzMcU5CVNqDGOHiStowzKgU3njez9aYa70Gsmtm62WPkJSTVw7Nw6wfC val84JLqy0wL8tq90px0du/Ep7lE3laKlhREXiDLFGTccLH2XzK9CcnRygqjhPV9 yTY7YGorNbYKpwwgL889Ld6dhXlwDfR4PmvEKZjzqdhwDAXWsivkMYsEwC3oKC1m Ra3Nzf/oHUNrPwKSW55EKswc88u+T7553BUpGMyp2lktuA6jFSgbal3KdA0Ipbr7 C8elt7IapSz03MjcGTfVvnax5M8m/6dejdjKjGi8UFpaTbIiufQw8gpCFJhwRMpK MzU9qmDwOpeg5yL+a/k41wvBEZx4hHHkpcMfTF9vigZb+h8WHgwN/Zu+mCS84MyS g/oGwYs0flIPi/FJ9KrcMJFzB+d8YNYdx1mZaxY1b2gs4RtmTrhhRXbdcNeHNEH4 xHaRhSfDGW8UFuFVY4LKz4iF/mnoo6jMXds2HLKz7OaEneDbeDlZc8EViXvOtL7Q 8nS7ta8cWLCDd9n42hzf6Dw+dq4B/OLVJTFYGMrhouA6xr3GzhgcgAeUmFEPoBbU fX5Gy108fh4YQh1w+QsJxznorI+2rqOD1RxG2dxxBlHKSfDbY4gT35U4SrSfV6rW P6TFT0JSxqgibbegXJUN0jSUL4HibtLXHS2/vpV/wTceVaGB/g== =uwZl -----END PGP PUBLIC KEY BLOCK----- --=_ZMJO38vve21WwGtBlJljYw2-- --=_US6nxoH-O34Mp1XllffN3g1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSb7sbAAoJEJr0azAldxsxgFAP/RxuiH+9BBk3qcXxGUixHjVs hsmfqureYlwX5ydc+OtlB0jhdLko7ZMQ7ud0ZZVM1oc5RHTc26Zl1Q7dyO8OihBI zVxRwYu1gDBQ54xE1Sx9ZErzNMZgydjmbfT8TQGK5pX3pDWPuLo6CH7/S+4hec2l uhF6sA9q3ZrVwkmmuwgujjVag/YiG9E6bqS2UOManaQCVryJFrH0wtWsD5Zv30Xq 8Yw93FbhM8sFhLOac98+UTQI851nVluaqn7Vzm6qth5J4yb1YdQPlK910So4UuNt aurVZAQ8iTnbxJ95h30cN1g1Uv/GEqa2OVZDgj1isypM33nB2/GpyKG5twKe21Tr ZfFRznKRVmniLjDCH3nHzB3wrlGmTyNjKkT0Gs9UdhP9uc0VZkauk9XHvPcRhs+G GF9B8kp/QLZxpt1qT2Pm6K1Mj2h+dmpco/G5buMbmto3F9ad/HRWrW4UC1U25jzv QH8erJHt+ULdL+XU32CywVNjixMniJQvl27k75sEvlP4d7RZzbXybiClsBST2D1R QdoebuK8NUzcImTTjf1pI7FoXBPHlc224TdbXkNe75L0A88F2wGtlb99WSnJaAkC eZ4RY5ij0jXgE3l7YCM1uTlWA95/Z20gDsu12zM69EuGawsmHWx3y/AvJ2txyKMA P9JpDlyuGbFaLioWoIYn =rniR -----END PGP SIGNATURE----- --=_US6nxoH-O34Mp1XllffN3g1--