X2Go Bug report logs - #335
Users can inject arbitrary data into Pyhoca-GUI via .bashrc

version graph

Package: python-x2go; Maintainer for python-x2go is X2Go Developers <x2go-dev@lists.x2go.org>; Source for python-x2go is src:python-x2go.

Reported by: "Dan Halbert" <halbert@halwitz.org>

Date: Mon, 21 Oct 2013 12:48:02 UTC

Severity: grave

Tags: confirmed, pending

Fixed in version 0.4.0.9

Done: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Bug is archived. No further changes may be made.

Full log


Message #24 received at control@bugs.x2go.org (full text, mbox, reply):

Received: (at control) by bugs.x2go.org; 29 Oct 2013 12:23:25 +0000
From mike.gabriel@das-netzwerkteam.de  Tue Oct 29 13:23:17 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=unavailable version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 178C65DA6C;
	Tue, 29 Oct 2013 13:23:17 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 80010BBE;
	Tue, 29 Oct 2013 13:23:16 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 72CDA3BB6D;
	Tue, 29 Oct 2013 13:23:16 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ju2DA1wMpiu4; Tue, 29 Oct 2013 13:23:16 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 47CB63BB68;
	Tue, 29 Oct 2013 13:23:16 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 1982E3BB58;
	Tue, 29 Oct 2013 13:23:16 +0100 (CET)
Received: from m-047.informatik.uni-kiel.de (m-047.informatik.uni-kiel.de
 [134.245.254.47]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Tue, 29 Oct 2013 12:23:16 +0000
Date: Tue, 29 Oct 2013 12:23:16 +0000
Message-ID: <20131029122316.Horde.0UwNNkH8HU_JhQ-Y0lXJYw2@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Dan Halbert <halbert@halwitz.org>
Cc: 327@bugs.x2go.org, control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#327: x2go client crashes if .bashrc prints
 anything
References: <1382199763.63727452@beta.apps.rackspace.com>
 <20131029083628.Horde.8Mmv6w__TzqxxZW5QIjqjw9@mail.das-netzwerkteam.de>
 <526FA219.9030701@halwitz.org>
In-Reply-To: <526FA219.9030701@halwitz.org>
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 134.245.254.47
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101
 Firefox/23.0 Iceweasel/23.0
Content-Type: multipart/signed; boundary="=_DvYFWd4WI7oZv9DFGwFrZQ3";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
clone #327 -1
tag #327 wontfix
retitle -1 users can inject data into X2Go Client using .bashrc
severity -1 grave

Hi Dan,

On  Di 29 Okt 2013 12:55:05 CET, Dan Halbert wrote:

> On 10/29/2013 4:36 AM, Mike Gabriel wrote:
>> If I put an
>>> echo "testing"   # exact text doesn't matter
>>
>> I presume, this on the server.
> Right, this is on the server. With the Windows client there is no  
> .bashrc anyway. I confirmed with my colleague that he saw this on  
> both the Windows and Ubuntu Precise clients.
>
> Which windowing system chosen on the server does not seem to matter  
> either. I saw it with UNITY and with just "Terminal".
>
>> I could confirm this issue on Debian wheezy or Ubuntu precise as  
>> X2Go Server. On Ubuntu lucid, the problem does not occur.
> That's interesting. The reason for putting in the echo's was to  
> debug a completely unrelated problem about which shell init got run  
> when we were running some batch jobs. I had instrumented the init  
> files before without difficulty. Thanks for looking at this.

I have looked at this in depth this morning. Indeed an echoing .bashrc  
file breaks X2Go. But it also breaks everything else around SSH, esp.  
scp [1, 2].

The first link [1] also provides a solution that I want to quote here:

""" (file: ~/.bashrc)
[... normal .bashrc stuff ...]

if [[ $- =~ "i" ]]; then
   echo "SPEAK OUT LOUD!!!"
fi
"""

The i-flag in $- checks if the shell is interactive or not. With X2Go,  
this flag will not get set.

Greets,
Mike

[1]  
http://stackoverflow.com/questions/12440287/scp-doesnt-work-when-echo-in-bashrc
[2] https://bugzilla.redhat.com/show_bug.cgi?id=20527

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-keys, inline)]
[Message part 3 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Mon Jan 27 20:28:18 2020; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.