This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch bugfix/1100 in repository x2goclient. discards a7ed686 Don't override PATH for the actual session or application command. Fixes: #1100 new d164a70 Don't override PATH for the actual session or application command. Fixes: #1100 This update added new revisions after undoing existing revisions. That is to say, some revisions that were in the old version of the branch are not in the new version. This situation occurs when a user --force pushes a change and generates a repository containing something like this: * -- * -- B -- O -- O -- O (a7ed686) \ N -- N -- N refs/heads/bugfix/1100 (d164a70) You should already have received notification emails for all of the O revisions, and so the following emails describe only the N revisions from the common base, B. Any revisions marked "omits" are not gone; other references still refer to them. Any revisions marked "discards" are gone forever. The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: src/onmainwindow.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) -- Alioth's /srv/git/code.x2go.org/x2goclient.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goclient.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch bugfix/1100 in repository x2goclient. commit d164a700ba7e243f5038ef925208872f48f9c757 Author: Mike DePaulo <mikedep333@gmail.com> Date: Thu Mar 30 18:51:41 2017 -0400 Don't override PATH for the actual session or application command. Fixes: #1100 --- debian/changelog | 3 +++ src/onmainwindow.cpp | 65 ++++++++++++++++++++++++++++----------------- src/onmainwindow.h | 1 + src/sshmasterconnection.cpp | 4 +-- src/sshmasterconnection.h | 2 +- src/sshprocess.cpp | 15 ++++++++--- src/sshprocess.h | 2 +- 7 files changed, 61 insertions(+), 31 deletions(-) diff --git a/debian/changelog b/debian/changelog index 42c1e52..8e71aeb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -180,6 +180,9 @@ x2goclient (4.1.0.1-0x2go1) UNRELEASED; urgency=medium default because the installation dir is not writeable by users) + CVE-2017-6542 was fixed + - Don't override PATH for the actual session or application + command. + Fixes: #1100 [ Seth Galitzer ] * New upstream version (4.1.0.1): diff --git a/src/onmainwindow.cpp b/src/onmainwindow.cpp index 5dd3906..4b251bb 100644 --- a/src/onmainwindow.cpp +++ b/src/onmainwindow.cpp @@ -6700,6 +6700,39 @@ void ONMainWindow::slotAppDialog() void ONMainWindow::runCommand() { + + if ( runRemoteCommand ) + { + /* 1st override PATH and determine the base path to x2goruncommand. + * Then in SlotRunCommand, call x2goruncommand without overriding PATH. + * This ensures that the PATH is never overriden for the actual user + * session. + * Fixes: #1100 + */ + sshConnection->executeCommand ( "x2gobasepath", this, + SLOT ( SlotRunCommand ( bool, + QString, + int )), true); + } +#ifdef Q_WS_HILDON + //wait 5 seconds and execute xkbcomp + QTimer::singleShot ( 5000, this, SLOT ( slotExecXmodmap() ) ); +#endif +} + + +void ONMainWindow::runApplication(QString exec) +{ + QString cmd = "PULSE_CLIENTCONFIG=\"${HOME}/.x2go/C-" + + resumingSession.sessionId+"/.pulse-client.conf\" DISPLAY=:" + + resumingSession.display + + " setsid " + exec + " 1> /dev/null 2>/dev/null & exit"; + + sshConnection->executeCommand (cmd, 0, 0, false); +} + +void ONMainWindow::SlotRunCommand(bool, QString output, int) +{ QString passwd=getCurrentPass(); QString user=getCurrentUname(); QString host=resumingSession.server; @@ -6853,7 +6886,8 @@ void ONMainWindow::runCommand() if ( !startSessSound || startSessSndSystem==PULSE ) { - cmd=krbFwString+"setsid x2goruncommand "+resumingSession.display+" "+ + cmd=krbFwString+"setsid " + output + "/bin/x2goruncommand "+ + resumingSession.display+" "+ resumingSession.agentPid + " " + resumingSession.sessionId+" "+ resumingSession.sndPort+ " "+ command+" nosnd "+ @@ -6870,7 +6904,7 @@ void ONMainWindow::runCommand() switch ( startSessSndSystem ) { case ESD: - cmd=krbFwString+"setsid x2goruncommand "+ + cmd=krbFwString+"setsid " + output + "/bin/x2goruncommand "+ resumingSession.display+" "+ resumingSession.agentPid + " " + resumingSession.sessionId+" "+ @@ -6879,7 +6913,7 @@ void ONMainWindow::runCommand() sessionType +" 1> /dev/null 2>/dev/null & exit"; break; case ARTS: - cmd=krbFwString+"setsid x2goruncommand "+ + cmd=krbFwString+"setsid " + output + "/bin/x2goruncommand "+ resumingSession.display+" "+ resumingSession.agentPid + " " + resumingSession.sessionId+" "+ @@ -6891,27 +6925,10 @@ void ONMainWindow::runCommand() } } - if ( runRemoteCommand ) - { - sshConnection->executeCommand ( cmd, this, SLOT ( slotRetRunCommand ( bool, - QString, - int ) )); - } -#ifdef Q_WS_HILDON - //wait 5 seconds and execute xkbcomp - QTimer::singleShot ( 5000, this, SLOT ( slotExecXmodmap() ) ); -#endif -} - - -void ONMainWindow::runApplication(QString exec) -{ - QString cmd = "PULSE_CLIENTCONFIG=\"${HOME}/.x2go/C-" - + resumingSession.sessionId+"/.pulse-client.conf\" DISPLAY=:" - + resumingSession.display - + " setsid " + exec + " 1> /dev/null 2>/dev/null & exit"; - - sshConnection->executeCommand (cmd); + sshConnection->executeCommand ( cmd, this, + SLOT ( slotRetRunCommand ( bool, + QString, + int )), false); } void ONMainWindow::slotRetRunCommand ( bool result, QString output, diff --git a/src/onmainwindow.h b/src/onmainwindow.h index 37b454c..d2e5399 100644 --- a/src/onmainwindow.h +++ b/src/onmainwindow.h @@ -1080,6 +1080,7 @@ private slots: void slotShowAdvancedStat(); void slotRestartProxy(); void slotTestSessionStatus(); + void SlotRunCommand(bool, QString output, int); void slotRetRunCommand ( bool result, QString output, int ); void slotGetServers ( bool result, QString output, diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp index 8e620c2..f2db295 100644 --- a/src/sshmasterconnection.cpp +++ b/src/sshmasterconnection.cpp @@ -290,14 +290,14 @@ int SshMasterConnection::copyFile(const QString& src, const QString dst, QObject return proc->pid; } -int SshMasterConnection::executeCommand(const QString& command, QObject* receiver, const char* slotFinished) +int SshMasterConnection::executeCommand(const QString& command, QObject* receiver, const char* slotFinished, bool overridePath) { SshProcess* proc=new SshProcess(this, nextPid++); if(receiver && slotFinished) { connect(proc, SIGNAL(sshFinished(bool,QString,int)), receiver, slotFinished); } - proc->startNormal(command); + proc->startNormal(command, overridePath); processes<<proc; return proc->pid; diff --git a/src/sshmasterconnection.h b/src/sshmasterconnection.h index 4cc1f82..13499e6 100644 --- a/src/sshmasterconnection.h +++ b/src/sshmasterconnection.h @@ -89,7 +89,7 @@ public: void writeKnownHosts(bool); void setKeyPhrase(QString); - int executeCommand(const QString& command, QObject* receiver=0, const char* slotFinished=0); + int executeCommand(const QString& command, QObject* receiver=0, const char* slotFinished=0, bool overridePath=true); int startTunnel(const QString& forwardHost, uint forwardPort, const QString& localHost, uint localPort, bool reverse=false, QObject* receiver=0, const char* slotTunnelOk=0, const char* slotFinished=0); int copyFile(const QString& src, const QString dst, QObject* receiver=0, const char* slotFinished=0); diff --git a/src/sshprocess.cpp b/src/sshprocess.cpp index d921806..a5bb5cf 100644 --- a/src/sshprocess.cpp +++ b/src/sshprocess.cpp @@ -188,7 +188,7 @@ void SshProcess::rmPuttyReg(QString uuidStr) } #endif -void SshProcess::startNormal(const QString& cmd) +void SshProcess::startNormal(const QString& cmd, bool overridePath) { QUuid uuid = QUuid::createUuid(); QString uuidStr = uuid.toString().mid(1, 36).toLower(); @@ -198,9 +198,18 @@ void SshProcess::startNormal(const QString& cmd) // ONLY UNCOMMENT FOR TESTING, MIGHT REVEAL PASSWORD WHEN command=RDP x2goDebug<<"Executing remote command via SshProcess object "<<pid<<": "<<cmd; // #endif + QString pathString; + if (overridePath) + { + pathString = "export PATH=\"/usr/local/bin:/usr/bin:/bin\";"; + } + else + { + pathString= ""; + } if(!masterCon->useKerberos()) { - QString shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\"; export PATH=\"/usr/local/bin:/usr/bin:/bin\"; export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'"; + QString shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\"; " + pathString + "export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'"; x2goDebug << "this="<<this<<" Running masterCon->addChannelConnection(this, '" << uuidStr << "', '" << shcmd.left (200) << "');"; masterCon->addChannelConnection(this, uuidStr, shcmd); connect(masterCon,SIGNAL(stdOut(SshProcess*,QByteArray)),this,SLOT(slotStdOut(SshProcess*,QByteArray))); @@ -222,7 +231,7 @@ void SshProcess::startNormal(const QString& cmd) * as there is no preceding "outer double quote" the whole argument * is wrapped in. */ - shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\"; export PATH=\"/usr/local/bin:/usr/bin:/bin\"; export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'"; + shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\";" + pathString + "export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'"; proc=new QProcess(this); QString local_cmd = ""; diff --git a/src/sshprocess.h b/src/sshprocess.h index c9c3733..e8df1ea 100644 --- a/src/sshprocess.h +++ b/src/sshprocess.h @@ -36,7 +36,7 @@ private: SshProcess(SshMasterConnection* master, int pid); ~SshProcess(); - void startNormal(const QString& cmd); + void startNormal(const QString& cmd, bool overridePath); void startTunnel(const QString& forwardHost, uint forwardPort, const QString& localHost, uint localPort, bool reverse=false); void start_cp(QString src, QString dst); -- Alioth's /srv/git/code.x2go.org/x2goclient.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goclient.git
-
git-admin@x2go.org