X2Go Bug report logs - #705
client sends password to http broker without percent encoding special characters such as &

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Jason Alavaliant <alavaliant@ra09.com>

Date: Tue, 16 Dec 2014 23:10:01 UTC

Severity: grave

Tags: patch, pending

Found in version 4.0.3.1

Fixed in version 4.0.3.2

Done: X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#705; Package x2goclient. (Tue, 16 Dec 2014 23:10:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jason Alavaliant <alavaliant@ra09.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 16 Dec 2014 23:10:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Jason Alavaliant <alavaliant@ra09.com>
To: submit@bugs.x2go.org
Subject: client sends password to http broker without percent encoding special characters such as &
Date: Wed, 17 Dec 2014 11:45:02 +1300
[Message part 1 (text/plain, inline)]
Package: x2goclient
Version: 4.0.3.1
Severity: grave
Tags: patch

I've just setup an x2go load balanced setup using x2gobroker (http 
connection - x2goclient --broker-url=http://server:8080/plain/inifile),  
  after putting it into production we found a number of our users had 
their passwords rejected when trying to sign into the x2go client to 
access the broker.

Tracing through the traffic/logs   we found that the problem is that 
password values were being set unencoded to the broker,   so for example 
if there was an & present in a password the form data was submitted in 
the form of

task=listsessions&user=user&password=mypass&word&authid=

which resulted in the data being read by the server as the pasword being 
mypass   rather than  mypass&word

The attached patch in my testing (done on Linux) fixes the client so 
data is correctly escaped so the above example would be submitted as


task=listsessions&user=user&password=mypass%26word&authid=

which is correctly parsed as the password being mypass&word
and allows the login to work.


If we could get an indication of when this fix is likely to make a 
client release it would appreciated since we currently don't have 
Windows and OSX builds with the patch and are trying to workout if it's 
worth the time of setting up development workstations to be able to 
compile the client for those platforms vs just waiting for the next 
client release.

Thanks for your time.
Jason
[x2go-client-broker-httpauth-encoding-fix.patch (text/x-diff, attachment)]

Message sent on to Jason Alavaliant <alavaliant@ra09.com>:
Bug#705. (Wed, 17 Dec 2014 10:15:02 GMT) Full text and rfc822 format available.

Message #8 received at 705-submitter@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 705-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 705@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as pending for release
Date: Wed, 17 Dec 2014 11:14:54 +0100 (CET)
tag #705 pending
fixed #705 4.0.3.2
thanks

Hello,

X2Go issue #705 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=db7c2f3

The issue will most likely be fixed in src:x2goclient (4.0.3.2).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit db7c2f3009d9f39cdf8a85327c632dcb643f631c
Author: Jason Alavaliant <alavaliant@ra09.com>
Date:   Wed Dec 17 11:14:02 2014 +0100

    Use QUrl::toPercentEncoding() method to properly encode passwords sent to X2Go Session Broker. (Fixes: #705).

diff --git a/debian/changelog b/debian/changelog
index 1a034f3..1a2701d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,11 @@ x2goclient (4.0.3.2-0x2go1) UNRELEASED; urgency=medium
   * New upstream release (4.0.3.2):
     - Provide empty Turkish translation file.
 
+  [ Jason Alavaliant ]
+  * New upstream verson (4.0.3.2):
+    - Use QUrl::toPercentEncoding() method to properly encode passwords sent
+      to X2Go Session Broker. (Fixes: #705).
+
   [ Mike DePaulo ]
   * New upstream release (4.0.3.2):
     - Windows: Fix compatibility with PulseAudio 6.0


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#705; Package x2goclient. (Wed, 17 Dec 2014 10:20:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 17 Dec 2014 10:20:02 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Wed, 17 Dec 2014 10:20:03 GMT) Full text and rfc822 format available.

Marked as fixed in versions 4.0.3.2. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Wed, 17 Dec 2014 10:20:03 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#705; Package x2goclient. (Thu, 19 Feb 2015 12:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to X2Go Release Manager <git-admin@x2go.org>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Thu, 19 Feb 2015 12:00:07 GMT) Full text and rfc822 format available.

Message #22 received at 705@bugs.x2go.org (full text, mbox):

From: X2Go Release Manager <git-admin@x2go.org>
To: 705-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 705@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as closed
Date: Thu, 19 Feb 2015 12:57:58 +0100 (CET)
close #705
thanks

Hello,

we are very hopeful that X2Go issue #705 reported by you
has been resolved in the new release (4.0.3.2) of the
X2Go source project »src:x2goclient«.

You can view the complete changelog entry of src:x2goclient (4.0.3.2)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=3b7ca68412005521d45d9751a370549ab1c80e58;hp=5290218751cc68a1fc1711ebd169e195eb3daeed

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:x2goclient
Version: 4.0.3.2-0x2go1
Status: RELEASE
Date: Thu, 19 Feb 2015 12:49:22 +0100
Fixes: 616 642 681 702 705 713 720 742 781 782
Changes: 
 x2goclient (4.0.3.2-0x2go1) RELEASED; urgency=medium
 .
   [ Oleksandr Shneyder ]
   * New upstream release (4.0.3.2):
     - Fix placement of session folders in session card column. (Fixes: #681).
     - Send empty message in x2gohelper to stop AppStarting cursor. (Fixes: #616).
     - Fix multiple creations of modmap timer (OS_DARWIN).
 .
   [ Mike Gabriel ]
   * New upstream release (4.0.3.2):
     - Add several info/error/debug log message while hunting down #702.
     - Use app.setQuitOnLastWindowClosed(false) for the X2Go Client QtApplication
       to assure that X2Go Client does not arbitrarily exit during a running
       session. This fixes X2Go Client crashes that occur when printing via
       the CUPS-X2Go printing mechanism with activate print dialog popup on
       incoming print jobs and minimized main window. (Fixes: #702).
     - Be more exact when reporting rev forwarding tunnel request failures to
       the GUI user. Include the purpose of the tunnel (NX, audio, foldersharing)
       in the error message.
     - Enable debugging in sshprocess.cpp and sshmasterconnection.cpp if
       --debug is given.
     - sshmasterconnection.cpp: Fix several grammar issues in error messages.
     - When sharing a client-side folder, do not write the SSH pub key to
       client-side authorized_keys file if the folder-to-be-shared does not
       exist on the client. (Partially solves #405).
     - Fix string concatenation/layout of error message when tunnel I/O errors
       occur.
     - Improve debugging/logging the SSH connections made by X2Go Client.
     - Fix quotes when calling remote commands via SSH (esp. allow same quoting/
       escaping style for libssh and openSSH+Krb based connections). (Fixes: #720).
     - FIXME: Disable PubkeyAuthentication _and_ PasswordAuthentication if
       GSSAPI authentication is activated. This is counter intuitive, though,
       and requires several other fixes in the authentication code.
   * x2goclient.spec:
     - Always set BuildRoot: parameter.
 .
   [ Sergey Savko ]
   * New upstream release (4.0.3.2):
     - Prevent passwordless re-logins into X2Go Session Broker if
       --broker-autologoff is used on the cmdline. (Fixes: #782).
     - Add new cmdline option --broker-noauth-use-session-username.
       When --broker-noauth is used, the broker does not know on behalf
       of which user to operate. This new option enables username syncing.
       When logging into X2Go Server, that username will be sent to the
       broker and be used for querying X2Go Broker Agents etc. (Fixes: #781).
 .
   [ Heinrich Schuchardt ]
   * New upstream release (4.0.3.2):
     - Base the layout dialogue "Session ID" (which shows up when starting a
       connection) on typographic points (instead of pixels). (Fixes: #713).
 .
   [ Jason Alavaliant ]
   * New upstream verson (4.0.3.2):
     - Use QUrl::toPercentEncoding() method to properly encode passwords sent
       to X2Go Session Broker. (Fixes: #705).
 .
   [ Mike DePaulo ]
   * New upstream release (4.0.3.2):
     - Windows: Win32 OpenSSL updates from 1.0.1j to 1.0.1L, which
       fixes the CVEs announced on 2015-01-08.
     - Windows: Cygwin OpenSSL updated from 1.0.1j-1 to 1.0.1k-1, which
       fixes the CVEs announced on 2015-01-08.
     - Windows: Bundle new version of VcXsrv: 1.15.2.2-xp+vc2013+x2go1.
       The differences from 1.15.2.1-xp+vc2013+x2go1 are that its bundled
       OpenSSL has been updated to 1.0.1k, and that xorg-server
       CVE-2014-8091..8103 have been fixed.
     - Windows: Update libssh from 0.6.3 to 0.6.4 (while maintaining
       Pageant support). This fixes CVE-2014-8132, which shouldn't
       affect x2goclient because x2goclient uses the SSH client
       functionality, not the SSH server functionality.
       0.6.4 also added 4 features related to ECDSA keys.
     - Windows: Fix compatibility with PulseAudio 6.0
     - Windows: Remove workaround for audio input with old versions of
       PulseAudio (calling parec once per second)
       (Fixes: #742)
       Thanks George Trakatelis (uom.edu.gr) for submitting this change.
     - Windows: Enable X2Go Client for Windows to build under VS2010 nmake
       (but not the VS2010 IDE due to a Qt4 Visual Studio Add-in limitation)
       Note that the official builds are still build under MinGW.
       (Fixes: #642)
       Thanks George Trakatelis (uom.edu.gr) for submitting this feature.
     - Windows: Make builds easier, and updating bundled dependencies
       easier, by adding copy-deps-win32.bat. It copies the exact
       version of each dependency (DLL, executable, data, folder, etc)
       from x2goclient-contrib.git.
 .
   [ Kaan Ozdincer ]
   * New upstream version (4.0.3.2):
     - Add Turkish translation file.


Marked Bug as done Request was from X2Go Release Manager <git-admin@x2go.org> to control@bugs.x2go.org. (Thu, 19 Feb 2015 12:00:24 GMT) Full text and rfc822 format available.

Notification sent to Jason Alavaliant <alavaliant@ra09.com>:
Bug acknowledged by developer. (Thu, 19 Feb 2015 12:00:24 GMT) Full text and rfc822 format available.

Message sent on to Jason Alavaliant <alavaliant@ra09.com>:
Bug#705. (Thu, 19 Feb 2015 12:00:32 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Fri, 20 Mar 2015 06:24:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Apr 19 05:23:56 2019; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.