X2Go Bug report logs -
#705
client sends password to http broker without percent encoding special characters such as &
Reported by: Jason Alavaliant <alavaliant@ra09.com>
Date: Tue, 16 Dec 2014 23:10:01 UTC
Severity: grave
Tags: patch, pending
Found in version 4.0.3.1
Fixed in version 4.0.3.2
Done: X2Go Release Manager <git-admin@x2go.org>
Bug is archived. No further changes may be made.
Full log
🔗
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the x2goclient package:
#705: client sends password to http broker without percent encoding special characters such as &
It has been closed by X2Go Release Manager <git-admin@x2go.org>.
Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact X2Go Release Manager <git-admin@x2go.org> by
replying to this email.
--
X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems
[Message part 2 (message/rfc822, inline)]
close #705
thanks
Hello,
we are very hopeful that X2Go issue #705 reported by you
has been resolved in the new release (4.0.3.2) of the
X2Go source project »src:x2goclient«.
You can view the complete changelog entry of src:x2goclient (4.0.3.2)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.
http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=3b7ca68412005521d45d9751a370549ab1c80e58;hp=5290218751cc68a1fc1711ebd169e195eb3daeed
If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.
Thanks a lot for contributing to X2Go!!!
light+love
X2Go Git Admin (on behalf of the sender of this mail)
---
X2Go Component: src:x2goclient
Version: 4.0.3.2-0x2go1
Status: RELEASE
Date: Thu, 19 Feb 2015 12:49:22 +0100
Fixes: 616 642 681 702 705 713 720 742 781 782
Changes:
x2goclient (4.0.3.2-0x2go1) RELEASED; urgency=medium
.
[ Oleksandr Shneyder ]
* New upstream release (4.0.3.2):
- Fix placement of session folders in session card column. (Fixes: #681).
- Send empty message in x2gohelper to stop AppStarting cursor. (Fixes: #616).
- Fix multiple creations of modmap timer (OS_DARWIN).
.
[ Mike Gabriel ]
* New upstream release (4.0.3.2):
- Add several info/error/debug log message while hunting down #702.
- Use app.setQuitOnLastWindowClosed(false) for the X2Go Client QtApplication
to assure that X2Go Client does not arbitrarily exit during a running
session. This fixes X2Go Client crashes that occur when printing via
the CUPS-X2Go printing mechanism with activate print dialog popup on
incoming print jobs and minimized main window. (Fixes: #702).
- Be more exact when reporting rev forwarding tunnel request failures to
the GUI user. Include the purpose of the tunnel (NX, audio, foldersharing)
in the error message.
- Enable debugging in sshprocess.cpp and sshmasterconnection.cpp if
--debug is given.
- sshmasterconnection.cpp: Fix several grammar issues in error messages.
- When sharing a client-side folder, do not write the SSH pub key to
client-side authorized_keys file if the folder-to-be-shared does not
exist on the client. (Partially solves #405).
- Fix string concatenation/layout of error message when tunnel I/O errors
occur.
- Improve debugging/logging the SSH connections made by X2Go Client.
- Fix quotes when calling remote commands via SSH (esp. allow same quoting/
escaping style for libssh and openSSH+Krb based connections). (Fixes: #720).
- FIXME: Disable PubkeyAuthentication _and_ PasswordAuthentication if
GSSAPI authentication is activated. This is counter intuitive, though,
and requires several other fixes in the authentication code.
* x2goclient.spec:
- Always set BuildRoot: parameter.
.
[ Sergey Savko ]
* New upstream release (4.0.3.2):
- Prevent passwordless re-logins into X2Go Session Broker if
--broker-autologoff is used on the cmdline. (Fixes: #782).
- Add new cmdline option --broker-noauth-use-session-username.
When --broker-noauth is used, the broker does not know on behalf
of which user to operate. This new option enables username syncing.
When logging into X2Go Server, that username will be sent to the
broker and be used for querying X2Go Broker Agents etc. (Fixes: #781).
.
[ Heinrich Schuchardt ]
* New upstream release (4.0.3.2):
- Base the layout dialogue "Session ID" (which shows up when starting a
connection) on typographic points (instead of pixels). (Fixes: #713).
.
[ Jason Alavaliant ]
* New upstream verson (4.0.3.2):
- Use QUrl::toPercentEncoding() method to properly encode passwords sent
to X2Go Session Broker. (Fixes: #705).
.
[ Mike DePaulo ]
* New upstream release (4.0.3.2):
- Windows: Win32 OpenSSL updates from 1.0.1j to 1.0.1L, which
fixes the CVEs announced on 2015-01-08.
- Windows: Cygwin OpenSSL updated from 1.0.1j-1 to 1.0.1k-1, which
fixes the CVEs announced on 2015-01-08.
- Windows: Bundle new version of VcXsrv: 1.15.2.2-xp+vc2013+x2go1.
The differences from 1.15.2.1-xp+vc2013+x2go1 are that its bundled
OpenSSL has been updated to 1.0.1k, and that xorg-server
CVE-2014-8091..8103 have been fixed.
- Windows: Update libssh from 0.6.3 to 0.6.4 (while maintaining
Pageant support). This fixes CVE-2014-8132, which shouldn't
affect x2goclient because x2goclient uses the SSH client
functionality, not the SSH server functionality.
0.6.4 also added 4 features related to ECDSA keys.
- Windows: Fix compatibility with PulseAudio 6.0
- Windows: Remove workaround for audio input with old versions of
PulseAudio (calling parec once per second)
(Fixes: #742)
Thanks George Trakatelis (uom.edu.gr) for submitting this change.
- Windows: Enable X2Go Client for Windows to build under VS2010 nmake
(but not the VS2010 IDE due to a Qt4 Visual Studio Add-in limitation)
Note that the official builds are still build under MinGW.
(Fixes: #642)
Thanks George Trakatelis (uom.edu.gr) for submitting this feature.
- Windows: Make builds easier, and updating bundled dependencies
easier, by adding copy-deps-win32.bat. It copies the exact
version of each dependency (DLL, executable, data, folder, etc)
from x2goclient-contrib.git.
.
[ Kaan Ozdincer ]
* New upstream version (4.0.3.2):
- Add Turkish translation file.
[Message part 3 (message/rfc822, inline)]
[Message part 4 (text/plain, inline)]
Package: x2goclient
Version: 4.0.3.1
Severity: grave
Tags: patch
I've just setup an x2go load balanced setup using x2gobroker (http
connection - x2goclient --broker-url=http://server:8080/plain/inifile),
after putting it into production we found a number of our users had
their passwords rejected when trying to sign into the x2go client to
access the broker.
Tracing through the traffic/logs we found that the problem is that
password values were being set unencoded to the broker, so for example
if there was an & present in a password the form data was submitted in
the form of
task=listsessions&user=user&password=mypass&word&authid=
which resulted in the data being read by the server as the pasword being
mypass rather than mypass&word
The attached patch in my testing (done on Linux) fixes the client so
data is correctly escaped so the above example would be submitted as
task=listsessions&user=user&password=mypass%26word&authid=
which is correctly parsed as the password being mypass&word
and allows the login to work.
If we could get an indication of when this fix is likely to make a
client release it would appreciated since we currently don't have
Windows and OSX builds with the patch and are trying to workout if it's
worth the time of setting up development workstations to be able to
compile the client for those platforms vs just waiting for the next
client release.
Thanks for your time.
Jason
[x2go-client-broker-httpauth-encoding-fix.patch (text/x-diff, attachment)]
Send a report that this bug log contains spam.
X2Go Developers <owner@bugs.x2go.org>.
Last modified:
Thu Oct 31 10:09:11 2024;
Machine Name:
ymir.das-netzwerkteam.de
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.