From alavaliant@ra09.com Thu Dec 18 03:09:21 2014 Received: (at submit) by bugs.x2go.org; 18 Dec 2014 02:09:23 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50, T_FILL_THIS_FORM_SHORT,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from thetower.ra09.com (ra09.com [202.124.104.240]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id AB2545DB26 for ; Thu, 18 Dec 2014 03:09:20 +0100 (CET) Received: from localhost ([127.0.0.1] helo=private.ra09.com) by thetower.ra09.com with esmtp (Exim 4.80) (envelope-from ) id 1Y1QWi-0002Hf-H3 for submit@bugs.x2go.org; Thu, 18 Dec 2014 15:09:17 +1300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_50e239c780a0524fd2e6f780f3ba2d2d" Date: Thu, 18 Dec 2014 15:09:16 +1300 From: Jason Alavaliant To: submit@bugs.x2go.org Subject: x2gobroker authservice fails to handle passwords with spaces in them Message-ID: <1f449702f55c192bed3a6676f634afd8@private.ra09.com> X-Sender: alavaliant@ra09.com User-Agent: Roundcube Webmail/1.0.2 --=_50e239c780a0524fd2e6f780f3ba2d2d Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Package: x2gobroker-authservice Version: 0.0.2.3 Tags: patch Some of my users were getting authentication failed errors trying to login via our x2go broker setup (configured with http backend), further investigation revealed that the common factor was that they all had spaces in their passwords. Digging through the code I found that the socket connection used by the x2gobroker authservice used spaces to separate the fields when passing user data to be validated which meant any password with a space was effectively truncated by the code when it was send to the authservice. The two attached patches contain my proposed fix of changing the separation character to be \r instead which seems to fix the problem fine in my testing. Thanks Jason --=_50e239c780a0524fd2e6f780f3ba2d2d Content-Transfer-Encoding: base64 Content-Type: text/x-diff; name=x2gobroker-authservice-handle-spaces-in-passwords.patch Content-Disposition: attachment; filename=x2gobroker-authservice-handle-spaces-in-passwords.patch; size=452 LS0tIG9sZC94MmdvYnJva2VyL3NiaW4veDJnb2Jyb2tlci1hdXRoc2VydmljZQkyMDE0LTEyLTE4 IDE0OjI5OjA0LjYwNDIxNTQyNyArMTMwMAorKysgbmV3L3gyZ29icm9rZXIvc2Jpbi94MmdvYnJv a2VyLWF1dGhzZXJ2aWNlCTIwMTQtMTItMTggMTQ6Mjk6MzcuNDI5MTg3OTg0ICsxMzAwCkBAIC01 OCw3ICs1OCw3IEBACiAgICAgICAgIHNlbGYuX2J1ZiA9IGRhdGEKICAgICAgICAgZm9yIHJlcSBp biByZXFzLnNwbGl0KCdcbicpOgogICAgICAgICAgICAgdHJ5OgotICAgICAgICAgICAgICAgIHVz ZXIsIHBhc3N3ZCwgc2VydmljZSA9IHJlcS5zcGxpdCgpCisgICAgICAgICAgICAgICAgdXNlciwg cGFzc3dkLCBzZXJ2aWNlID0gcmVxLnNwbGl0KCdccicpCiAgICAgICAgICAgICBleGNlcHQ6CiAg ICAgICAgICAgICAgICAgc2VsZi5zZW5kKCdiYWRcbicpCiAgICAgICAgICAgICBlbHNlOgo= --=_50e239c780a0524fd2e6f780f3ba2d2d Content-Transfer-Encoding: base64 Content-Type: text/x-diff; name=authservice.py-handle-spaces-in-passwords.patch Content-Disposition: attachment; filename=authservice.py-handle-spaces-in-passwords.patch; size=780 LS0tIG9sZC94MmdvYnJva2VyL2F1dGhzZXJ2aWNlLnB5CTIwMTQtMTItMTggMTQ6Mjg6MzIuMDc5 MjUxNzY2ICsxMzAwCisrKyBuZXcveDJnb2Jyb2tlci9hdXRoc2VydmljZS5weQkyMDE0LTEyLTE4 IDE0OjI4OjU2LjA4Nzk2MzEzMCArMTMwMApAQCAtMzQsNyArMzQsNyBAQAogICAgIHMuY29ubmVj dCh4MmdvYnJva2VyLmRlZmF1bHRzLlgyR09CUk9LRVJfQVVUSFNFUlZJQ0VfU09DS0VUKQogICAg ICMgRklYTUU6IHNvbWVob3cgbG9nZ2luZyBvdXRwdXQgZGlzYXBwZWFycyBhZnRlciB3ZSBoYXZl IGNvbm5lY3RlZCB0byB0aGUgc29ja2V0IGZpbGUuLi4KICAgICBsb2dnZXJfYnJva2VyLmRlYnVn KCdzZW5kaW5nIHVzZXJuYW1lPXt1c2VybmFtZX0sIHBhc3N3b3JkPTxoaWRkZW4+LCBzZXJ2aWNl PXtzZXJ2aWNlfSB0byBhdXRoZW50aWNhdGlvbiBzZXJ2aWNlJy5mb3JtYXQodXNlcm5hbWU9dXNl cm5hbWUsIHNlcnZpY2U9c2VydmljZSkpCi0gICAgcy5zZW5kKCd7dXNlcm5hbWV9IHtwYXNzd29y ZH0ge3NlcnZpY2V9XG4nLmZvcm1hdCh1c2VybmFtZT11c2VybmFtZSwgcGFzc3dvcmQ9cGFzc3dv cmQsIHNlcnZpY2U9c2VydmljZSkpCisgICAgcy5zZW5kKCd7dXNlcm5hbWV9XHJ7cGFzc3dvcmR9 XHJ7c2VydmljZX1cbicuZm9ybWF0KHVzZXJuYW1lPXVzZXJuYW1lLCBwYXNzd29yZD1wYXNzd29y ZCwgc2VydmljZT1zZXJ2aWNlKSkKICAgICByZXN1bHQgPSBzLnJlY3YoMTAyNCkKICAgICBzLmNs b3NlKCkKICAgICBpZiByZXN1bHQuc3RhcnRzd2l0aCgnb2snKToK --=_50e239c780a0524fd2e6f780f3ba2d2d--