29 Oct
2013
29 Oct
'13
12:59 p.m.
Hi Mike, this fix to authenticate the commands is good. I didn't realize I was uncovering a security problem.
One question: the underlying crash was due to bad data. If authenticated but still bad data is sent, will the client still crash? I am thinking about a malicious server crafting something to crash the client or have it do something bad. I looked at the code diff and I didn't see some underlying verification of the x2go commands.
E.g.: X2GODATABEGIN:<good-uuidhash> bad data here X2GODATAEND:<good-uuidhash>