X2Go Bug report logs - #705
client sends password to http broker without percent encoding special characters such as &

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Jason Alavaliant <alavaliant@ra09.com>

Date: Tue, 16 Dec 2014 23:10:01 UTC

Severity: grave

Tags: patch, pending

Found in version

Fixed in version

Done: X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log

đź”— View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.502 (Entity 5.502)
X-Loop: owner@bugs.x2go.org
From: owner@bugs.x2go.org (X2Go Bug Tracking System)
Subject: Bug#705 closed by X2Go Release Manager <git-admin@x2go.org> (X2Go
 issue (in src:x2goclient) has been marked as closed)
Message-ID: <handler.705.c.142434711320063.notifdone@bugs.x2go.org>
References: <20150219115758.A90D35DCA8@ymir.das-netzwerkteam.de>
X-X2go-PR-Keywords: pending patch
X-X2go-PR-Message: they-closed 705
X-X2go-PR-Package: x2goclient
X-X2go-PR-Source: x2goclient
Date: Thu, 19 Feb 2015 12:00:24 +0000
Content-Type: multipart/mixed; boundary="----------=_1424347224-20590-0"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your Bug report
which was filed against the x2goclient package:

#705: client sends password to http broker without percent encoding special characters such as &

It has been closed by X2Go Release Manager <git-admin@x2go.org>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact X2Go Release Manager <git-admin@x2go.org> by
replying to this email.

X2Go Bug Tracking System
Contact owner@bugs.x2go.org with problems
[Message part 2 (message/rfc822, inline)]
From: X2Go Release Manager <git-admin@x2go.org>
To: 705-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 705@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as closed
Date: Thu, 19 Feb 2015 12:57:58 +0100 (CET)
close #705


we are very hopeful that X2Go issue #705 reported by you
has been resolved in the new release ( of the
X2Go source project »src:x2goclient«.

You can view the complete changelog entry of src:x2goclient (
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.


If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.

Thanks a lot for contributing to X2Go!!!

X2Go Git Admin (on behalf of the sender of this mail)

X2Go Component: src:x2goclient
Date: Thu, 19 Feb 2015 12:49:22 +0100
Fixes: 616 642 681 702 705 713 720 742 781 782
 x2goclient ( RELEASED; urgency=medium
   [ Oleksandr Shneyder ]
   * New upstream release (
     - Fix placement of session folders in session card column. (Fixes: #681).
     - Send empty message in x2gohelper to stop AppStarting cursor. (Fixes: #616).
     - Fix multiple creations of modmap timer (OS_DARWIN).
   [ Mike Gabriel ]
   * New upstream release (
     - Add several info/error/debug log message while hunting down #702.
     - Use app.setQuitOnLastWindowClosed(false) for the X2Go Client QtApplication
       to assure that X2Go Client does not arbitrarily exit during a running
       session. This fixes X2Go Client crashes that occur when printing via
       the CUPS-X2Go printing mechanism with activate print dialog popup on
       incoming print jobs and minimized main window. (Fixes: #702).
     - Be more exact when reporting rev forwarding tunnel request failures to
       the GUI user. Include the purpose of the tunnel (NX, audio, foldersharing)
       in the error message.
     - Enable debugging in sshprocess.cpp and sshmasterconnection.cpp if
       --debug is given.
     - sshmasterconnection.cpp: Fix several grammar issues in error messages.
     - When sharing a client-side folder, do not write the SSH pub key to
       client-side authorized_keys file if the folder-to-be-shared does not
       exist on the client. (Partially solves #405).
     - Fix string concatenation/layout of error message when tunnel I/O errors
     - Improve debugging/logging the SSH connections made by X2Go Client.
     - Fix quotes when calling remote commands via SSH (esp. allow same quoting/
       escaping style for libssh and openSSH+Krb based connections). (Fixes: #720).
     - FIXME: Disable PubkeyAuthentication _and_ PasswordAuthentication if
       GSSAPI authentication is activated. This is counter intuitive, though,
       and requires several other fixes in the authentication code.
   * x2goclient.spec:
     - Always set BuildRoot: parameter.
   [ Sergey Savko ]
   * New upstream release (
     - Prevent passwordless re-logins into X2Go Session Broker if
       --broker-autologoff is used on the cmdline. (Fixes: #782).
     - Add new cmdline option --broker-noauth-use-session-username.
       When --broker-noauth is used, the broker does not know on behalf
       of which user to operate. This new option enables username syncing.
       When logging into X2Go Server, that username will be sent to the
       broker and be used for querying X2Go Broker Agents etc. (Fixes: #781).
   [ Heinrich Schuchardt ]
   * New upstream release (
     - Base the layout dialogue "Session ID" (which shows up when starting a
       connection) on typographic points (instead of pixels). (Fixes: #713).
   [ Jason Alavaliant ]
   * New upstream verson (
     - Use QUrl::toPercentEncoding() method to properly encode passwords sent
       to X2Go Session Broker. (Fixes: #705).
   [ Mike DePaulo ]
   * New upstream release (
     - Windows: Win32 OpenSSL updates from 1.0.1j to 1.0.1L, which
       fixes the CVEs announced on 2015-01-08.
     - Windows: Cygwin OpenSSL updated from 1.0.1j-1 to 1.0.1k-1, which
       fixes the CVEs announced on 2015-01-08.
     - Windows: Bundle new version of VcXsrv:
       The differences from are that its bundled
       OpenSSL has been updated to 1.0.1k, and that xorg-server
       CVE-2014-8091..8103 have been fixed.
     - Windows: Update libssh from 0.6.3 to 0.6.4 (while maintaining
       Pageant support). This fixes CVE-2014-8132, which shouldn't
       affect x2goclient because x2goclient uses the SSH client
       functionality, not the SSH server functionality.
       0.6.4 also added 4 features related to ECDSA keys.
     - Windows: Fix compatibility with PulseAudio 6.0
     - Windows: Remove workaround for audio input with old versions of
       PulseAudio (calling parec once per second)
       (Fixes: #742)
       Thanks George Trakatelis (uom.edu.gr) for submitting this change.
     - Windows: Enable X2Go Client for Windows to build under VS2010 nmake
       (but not the VS2010 IDE due to a Qt4 Visual Studio Add-in limitation)
       Note that the official builds are still build under MinGW.
       (Fixes: #642)
       Thanks George Trakatelis (uom.edu.gr) for submitting this feature.
     - Windows: Make builds easier, and updating bundled dependencies
       easier, by adding copy-deps-win32.bat. It copies the exact
       version of each dependency (DLL, executable, data, folder, etc)
       from x2goclient-contrib.git.
   [ Kaan Ozdincer ]
   * New upstream version (
     - Add Turkish translation file.

[Message part 3 (message/rfc822, inline)]
From: Jason Alavaliant <alavaliant@ra09.com>
To: submit@bugs.x2go.org
Subject: client sends password to http broker without percent encoding special characters such as &
Date: Wed, 17 Dec 2014 11:45:02 +1300
[Message part 4 (text/plain, inline)]
Package: x2goclient
Severity: grave
Tags: patch

I've just setup an x2go load balanced setup using x2gobroker (http 
connection - x2goclient --broker-url=http://server:8080/plain/inifile),  
  after putting it into production we found a number of our users had 
their passwords rejected when trying to sign into the x2go client to 
access the broker.

Tracing through the traffic/logs   we found that the problem is that 
password values were being set unencoded to the broker,   so for example 
if there was an & present in a password the form data was submitted in 
the form of


which resulted in the data being read by the server as the pasword being 
mypass   rather than  mypass&word

The attached patch in my testing (done on Linux) fixes the client so 
data is correctly escaped so the above example would be submitted as


which is correctly parsed as the password being mypass&word
and allows the login to work.

If we could get an indication of when this fix is likely to make a 
client release it would appreciated since we currently don't have 
Windows and OSX builds with the patch and are trying to workout if it's 
worth the time of setting up development workstations to be able to 
compile the client for those platforms vs just waiting for the next 
client release.

Thanks for your time.
[x2go-client-broker-httpauth-encoding-fix.patch (text/x-diff, attachment)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Nov 29 21:27:37 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.