X2Go Bug report logs - #705
client sends password to http broker without percent encoding special characters such as &

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Jason Alavaliant <alavaliant@ra09.com>

Date: Tue, 16 Dec 2014 23:10:01 UTC

Severity: grave

Tags: patch, pending

Found in version 4.0.3.1

Fixed in version 4.0.3.2

Done: X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#705: client sends password to http broker without percent encoding special characters such as &
Reply-To: Jason Alavaliant <alavaliant@ra09.com>, 705@bugs.x2go.org
Resent-From: Jason Alavaliant <alavaliant@ra09.com>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 16 Dec 2014 23:10:01 +0000
Resent-Message-ID: <handler.705.B.141877123127410@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: report 705
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: patch
Received: via spool by submit@bugs.x2go.org id=B.141877123127410
          (code B); Tue, 16 Dec 2014 23:10:01 +0000
Received: (at submit) by bugs.x2go.org; 16 Dec 2014 23:07:11 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=ham
	version=3.3.2
X-Greylist: delayed 1321 seconds by postgrey-1.34 at ymir.das-netzwerkteam.de; Wed, 17 Dec 2014 00:07:08 CET
Received: from thetower.ra09.com (ra09.com [202.124.104.240])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id E1C145DB1C
	for <submit@bugs.x2go.org>; Wed, 17 Dec 2014 00:07:08 +0100 (CET)
Received: from localhost ([127.0.0.1] helo=private.ra09.com)
	by thetower.ra09.com with esmtp (Exim 4.80)
	(envelope-from <alavaliant@ra09.com>)
	id 1Y10rW-0002Dr-L9
	for submit@bugs.x2go.org; Wed, 17 Dec 2014 11:45:02 +1300
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="=_07075d413da3260236ab2776f53045a7"
Date: Wed, 17 Dec 2014 11:45:02 +1300
From: Jason Alavaliant <alavaliant@ra09.com>
To: submit@bugs.x2go.org
Message-ID: <56e6e11db7c4583666eebe1811f3d98b@private.ra09.com>
X-Sender: alavaliant@ra09.com
User-Agent: Roundcube Webmail/1.0.2
[Message part 1 (text/plain, inline)]
Package: x2goclient
Version: 4.0.3.1
Severity: grave
Tags: patch

I've just setup an x2go load balanced setup using x2gobroker (http 
connection - x2goclient --broker-url=http://server:8080/plain/inifile),  
  after putting it into production we found a number of our users had 
their passwords rejected when trying to sign into the x2go client to 
access the broker.

Tracing through the traffic/logs   we found that the problem is that 
password values were being set unencoded to the broker,   so for example 
if there was an & present in a password the form data was submitted in 
the form of

task=listsessions&user=user&password=mypass&word&authid=

which resulted in the data being read by the server as the pasword being 
mypass   rather than  mypass&word

The attached patch in my testing (done on Linux) fixes the client so 
data is correctly escaped so the above example would be submitted as


task=listsessions&user=user&password=mypass%26word&authid=

which is correctly parsed as the password being mypass&word
and allows the login to work.


If we could get an indication of when this fix is likely to make a 
client release it would appreciated since we currently don't have 
Windows and OSX builds with the patch and are trying to workout if it's 
worth the time of setting up development workstations to be able to 
compile the client for those platforms vs just waiting for the next 
client release.

Thanks for your time.
Jason
[x2go-client-broker-httpauth-encoding-fix.patch (text/x-diff, attachment)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 19:36:55 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.