[X2Go-Commits] [x2goclient] 01/01: Do not show password in debug output of HTTP broker.

3 Sep 2019

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch master
in repository x2goclient.

commit eb719be4f83a94653c8ffaa351ffe6c541d48a4d
Author: Oleksandr Shneyder <o.shneyder@phoca-gmbh.de>
Date:   Tue Sep 3 09:32:01 2019 +0200

    Do not show password in debug output of HTTP broker.
---
 debian/changelog         |  1 +
 src/httpbrokerclient.cpp | 32 +++++++++++++++++++++++++++-----
 src/httpbrokerclient.h   |  1 +
 3 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 13511dc..cd51a3e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -34,6 +34,7 @@ x2goclient (4.1.2.2-0x2go1) UNRELEASED; urgency=medium
     - Broker can send to client the number of suspended and running sessions for each session type.
       Client will display this information to user on session button.
     - update copyright years in about dialog.
+    - Do not show password in debug output of HTTP broker.
 
   [ Mihai Moldovan ]
   * New upstream version (4.1.2.2):
diff --git a/src/httpbrokerclient.cpp b/src/httpbrokerclient.cpp
index 07986fc..d264c11 100644
--- a/src/httpbrokerclient.cpp
+++ b/src/httpbrokerclient.cpp
@@ -291,7 +291,7 @@ void HttpBrokerClient::getUserSessions()
                              "password="<<QUrl::toPercentEncoding(config->brokerPass)<<"&"<<
                              "authid="<<nextAuthId;
 
-        x2goDebug << "sending request: "<< req.toUtf8();
+        x2goDebug << "sending request: "<< scramblePwd(req.toUtf8());
         QNetworkRequest request(QUrl(config->brokerurl));
         request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
         sessionsRequest=http->post (request, req.toUtf8() );
@@ -333,7 +333,7 @@ void HttpBrokerClient::selectUserSession(const QString& session, const QString&
         {
             QTextStream ( &req ) <<"&login="<<QUrl::toPercentEncoding(loginName);
         }
-        x2goDebug << "Sending request: "<< req.toUtf8();
+        x2goDebug << "sending request: "<< scramblePwd(req.toUtf8());
         QNetworkRequest request(QUrl(config->brokerurl));
         request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
         selSessRequest=http->post (request, req.toUtf8() );
@@ -381,7 +381,7 @@ void HttpBrokerClient::sendEvent(const QString& ev, const QString& id, const QSt
                              "start="<<QUrl::toPercentEncoding(start)<<"&"<<
                              "elapsed="<<QString::number(connectionTime)<<"&"<<
                              "authid="<<nextAuthId;
-        x2goDebug << "Sending request: "<< req.toUtf8();
+        x2goDebug << "sending request: "<< scramblePwd(req.toUtf8());
         QNetworkRequest request(QUrl(config->brokerurl));
         request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
         eventRequest=http->post (request, req.toUtf8() );
@@ -447,7 +447,7 @@ void HttpBrokerClient::changePassword(QString newPass)
                              "user="<<QUrl::toPercentEncoding(brokerUser)<<"&"<<
                              "password="<<QUrl::toPercentEncoding(config->brokerPass)<<"&"<<
                              "authid="<<nextAuthId;
-        x2goDebug << "Sending request: "<< req.toUtf8();
+        x2goDebug << "sending request: "<< scramblePwd(req.toUtf8());
         QNetworkRequest request(QUrl(config->brokerurl));
         request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
         chPassRequest=http->post (request, req.toUtf8() );
@@ -472,7 +472,7 @@ void HttpBrokerClient::testConnection()
         QString req;
         QTextStream ( &req ) <<
                              "task=testcon";
-        x2goDebug << "Sending request: "<< req.toUtf8();
+        x2goDebug << "sending request: "<< scramblePwd(req.toUtf8());
         QNetworkRequest request(QUrl(config->brokerurl));
         request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
         testConRequest=http->post (request, req.toUtf8() );
@@ -875,3 +875,25 @@ void HttpBrokerClient::slotSshIoErr(SshProcess* caller, QString error, QString l
     }
     createSshConnection();
 }
+
+QString HttpBrokerClient::scramblePwd(const QString& req)
+{
+    QString scrambled=req;
+    int startPos=scrambled.indexOf("password=");
+    if(startPos!=-1)
+    {
+        startPos+=9;
+        int endPos=scrambled.indexOf("&",startPos);
+        int plength;
+        if(endPos==-1)
+        {
+            plength=scrambled.length()-startPos;
+        }
+        else
+        {
+            plength=endPos-startPos;
+        }
+        scrambled.replace(startPos,plength,'*');
+    }
+    return scrambled;
+}
diff --git a/src/httpbrokerclient.h b/src/httpbrokerclient.h
index d01c734..9f8b07f 100644
--- a/src/httpbrokerclient.h
+++ b/src/httpbrokerclient.h
@@ -71,6 +71,7 @@ private:
     void parseSession(QString sInfo);
     void createSshConnection();
     bool checkAccess(QString answer);
+    QString scramblePwd(const QString& req);
 
 private slots:
     void slotRequestFinished ( QNetworkReply*  reply );

--
Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2goclient.git

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

[X2Go-Commits] [x2goclient] 01/01: Do not show password in debug output of HTTP broker.