X2Go Bug report logs - #705
client sends password to http broker without percent encoding special characters such as &

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Jason Alavaliant <alavaliant@ra09.com>

To: submit@bugs.x2go.org

Subject: client sends password to http broker without percent encoding special characters such as &

Date: Wed, 17 Dec 2014 11:45:02 +1300

[Message part 1 (text/plain, inline)]

Package: x2goclient
Version: 4.0.3.1
Severity: grave
Tags: patch

I've just setup an x2go load balanced setup using x2gobroker (http 
connection - x2goclient --broker-url=http://server:8080/plain/inifile),  
  after putting it into production we found a number of our users had 
their passwords rejected when trying to sign into the x2go client to 
access the broker.

Tracing through the traffic/logs   we found that the problem is that 
password values were being set unencoded to the broker,   so for example 
if there was an & present in a password the form data was submitted in 
the form of

task=listsessions&user=user&password=mypass&word&authid=

which resulted in the data being read by the server as the pasword being 
mypass   rather than  mypass&word

The attached patch in my testing (done on Linux) fixes the client so 
data is correctly escaped so the above example would be submitted as


task=listsessions&user=user&password=mypass%26word&authid=

which is correctly parsed as the password being mypass&word
and allows the login to work.


If we could get an indication of when this fix is likely to make a 
client release it would appreciated since we currently don't have 
Windows and OSX builds with the patch and are trying to workout if it's 
worth the time of setting up development workstations to be able to 
compile the client for those platforms vs just waiting for the next 
client release.

Thanks for your time.
Jason

[x2go-client-broker-httpauth-encoding-fix.patch (text/x-diff, attachment)]

Message #8 received at 705-submitter@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 705-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 705@bugs.x2go.org

Subject: X2Go issue (in src:x2goclient) has been marked as pending for release

Date: Wed, 17 Dec 2014 11:14:54 +0100 (CET)

tag #705 pending
fixed #705 4.0.3.2
thanks

Hello,

X2Go issue #705 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=db7c2f3

The issue will most likely be fixed in src:x2goclient (4.0.3.2).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit db7c2f3009d9f39cdf8a85327c632dcb643f631c
Author: Jason Alavaliant <alavaliant@ra09.com>
Date:   Wed Dec 17 11:14:02 2014 +0100

    Use QUrl::toPercentEncoding() method to properly encode passwords sent to X2Go Session Broker. (Fixes: #705).

diff --git a/debian/changelog b/debian/changelog
index 1a034f3..1a2701d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,11 @@ x2goclient (4.0.3.2-0x2go1) UNRELEASED; urgency=medium
   * New upstream release (4.0.3.2):
     - Provide empty Turkish translation file.
 
+  [ Jason Alavaliant ]
+  * New upstream verson (4.0.3.2):
+    - Use QUrl::toPercentEncoding() method to properly encode passwords sent
+      to X2Go Session Broker. (Fixes: #705).
+
   [ Mike DePaulo ]
   * New upstream release (4.0.3.2):
     - Windows: Fix compatibility with PulseAudio 6.0

Message #22 received at 705@bugs.x2go.org (full text, mbox, reply):

From: X2Go Release Manager <git-admin@x2go.org>

To: 705-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 705@bugs.x2go.org

Subject: X2Go issue (in src:x2goclient) has been marked as closed

Date: Thu, 19 Feb 2015 12:57:58 +0100 (CET)

close #705
thanks

Hello,

we are very hopeful that X2Go issue #705 reported by you
has been resolved in the new release (4.0.3.2) of the
X2Go source project »src:x2goclient«.

You can view the complete changelog entry of src:x2goclient (4.0.3.2)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=3b7ca68412005521d45d9751a370549ab1c80e58;hp=5290218751cc68a1fc1711ebd169e195eb3daeed

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:x2goclient
Version: 4.0.3.2-0x2go1
Status: RELEASE
Date: Thu, 19 Feb 2015 12:49:22 +0100
Fixes: 616 642 681 702 705 713 720 742 781 782
Changes: 
 x2goclient (4.0.3.2-0x2go1) RELEASED; urgency=medium
 .
   [ Oleksandr Shneyder ]
   * New upstream release (4.0.3.2):
     - Fix placement of session folders in session card column. (Fixes: #681).
     - Send empty message in x2gohelper to stop AppStarting cursor. (Fixes: #616).
     - Fix multiple creations of modmap timer (OS_DARWIN).
 .
   [ Mike Gabriel ]
   * New upstream release (4.0.3.2):
     - Add several info/error/debug log message while hunting down #702.
     - Use app.setQuitOnLastWindowClosed(false) for the X2Go Client QtApplication
       to assure that X2Go Client does not arbitrarily exit during a running
       session. This fixes X2Go Client crashes that occur when printing via
       the CUPS-X2Go printing mechanism with activate print dialog popup on
       incoming print jobs and minimized main window. (Fixes: #702).
     - Be more exact when reporting rev forwarding tunnel request failures to
       the GUI user. Include the purpose of the tunnel (NX, audio, foldersharing)
       in the error message.
     - Enable debugging in sshprocess.cpp and sshmasterconnection.cpp if
       --debug is given.
     - sshmasterconnection.cpp: Fix several grammar issues in error messages.
     - When sharing a client-side folder, do not write the SSH pub key to
       client-side authorized_keys file if the folder-to-be-shared does not
       exist on the client. (Partially solves #405).
     - Fix string concatenation/layout of error message when tunnel I/O errors
       occur.
     - Improve debugging/logging the SSH connections made by X2Go Client.
     - Fix quotes when calling remote commands via SSH (esp. allow same quoting/
       escaping style for libssh and openSSH+Krb based connections). (Fixes: #720).
     - FIXME: Disable PubkeyAuthentication _and_ PasswordAuthentication if
       GSSAPI authentication is activated. This is counter intuitive, though,
       and requires several other fixes in the authentication code.
   * x2goclient.spec:
     - Always set BuildRoot: parameter.
 .
   [ Sergey Savko ]
   * New upstream release (4.0.3.2):
     - Prevent passwordless re-logins into X2Go Session Broker if
       --broker-autologoff is used on the cmdline. (Fixes: #782).
     - Add new cmdline option --broker-noauth-use-session-username.
       When --broker-noauth is used, the broker does not know on behalf
       of which user to operate. This new option enables username syncing.
       When logging into X2Go Server, that username will be sent to the
       broker and be used for querying X2Go Broker Agents etc. (Fixes: #781).
 .
   [ Heinrich Schuchardt ]
   * New upstream release (4.0.3.2):
     - Base the layout dialogue "Session ID" (which shows up when starting a
       connection) on typographic points (instead of pixels). (Fixes: #713).
 .
   [ Jason Alavaliant ]
   * New upstream verson (4.0.3.2):
     - Use QUrl::toPercentEncoding() method to properly encode passwords sent
       to X2Go Session Broker. (Fixes: #705).
 .
   [ Mike DePaulo ]
   * New upstream release (4.0.3.2):
     - Windows: Win32 OpenSSL updates from 1.0.1j to 1.0.1L, which
       fixes the CVEs announced on 2015-01-08.
     - Windows: Cygwin OpenSSL updated from 1.0.1j-1 to 1.0.1k-1, which
       fixes the CVEs announced on 2015-01-08.
     - Windows: Bundle new version of VcXsrv: 1.15.2.2-xp+vc2013+x2go1.
       The differences from 1.15.2.1-xp+vc2013+x2go1 are that its bundled
       OpenSSL has been updated to 1.0.1k, and that xorg-server
       CVE-2014-8091..8103 have been fixed.
     - Windows: Update libssh from 0.6.3 to 0.6.4 (while maintaining
       Pageant support). This fixes CVE-2014-8132, which shouldn't
       affect x2goclient because x2goclient uses the SSH client
       functionality, not the SSH server functionality.
       0.6.4 also added 4 features related to ECDSA keys.
     - Windows: Fix compatibility with PulseAudio 6.0
     - Windows: Remove workaround for audio input with old versions of
       PulseAudio (calling parec once per second)
       (Fixes: #742)
       Thanks George Trakatelis (uom.edu.gr) for submitting this change.
     - Windows: Enable X2Go Client for Windows to build under VS2010 nmake
       (but not the VS2010 IDE due to a Qt4 Visual Studio Add-in limitation)
       Note that the official builds are still build under MinGW.
       (Fixes: #642)
       Thanks George Trakatelis (uom.edu.gr) for submitting this feature.
     - Windows: Make builds easier, and updating bundled dependencies
       easier, by adding copy-deps-win32.bat. It copies the exact
       version of each dependency (DLL, executable, data, folder, etc)
       from x2goclient-contrib.git.
 .
   [ Kaan Ozdincer ]
   * New upstream version (4.0.3.2):
     - Add Turkish translation file.

Send a report that this bug log contains spam.