clone #333 -1 reassign -1 python-x2go retitle -1 Users can inject arbitrary data into Pyhoca-GUI via .bashrc thanks
Hi All,
On Di 29 Okt 2013 13:36:14 CET, Mike Gabriel wrote:
Hi All,
Dan Halbert made me aware of it being easily possible to inject
arbitrary data into X2Go Client via the server-side .bashrc file.
This surely is a security problem in X2Go.Thus, I found that we really need to do some sanity checks on
incoming output from X2Go Servers to avoid such injections.The idea is to invoke the server-side command with a UUID hash
before and after the actuall command invocation:
- execute server-side command from X2Go Client:
ssh <user>@<server> sh -c "echo <uuidhash> && <x2gocmd> && echo <uuidhash>
- read data from X2Go Server:
X2GODATABEGIN:<uuidhash> <x2godata_line1> <x2godata_line2> .... <x2godata_lineN> X2GODATAEND:<uuidhash>
cut out the X2Go data returned by the server (in C++):
QString begin_marker = "X2GODATABEGIN:"+uuid+"\n"; QString end_marker = "X2GODATAEND:"+uuid+"\n"; int output_begin=stdOutString.indexOf(begin_marker) + \\ begin_marker.length(); int output_end=stdOutString.indexOf(end_marker); output = stdOutString.mid(output_begin, \\ output_end-output_begin);
I have a patch locally for this and will commit it in a minute. We
can discuss the patch and move on from there when it's there.Unfortunately, this patch does not fix #327 as it is impossible to
use scp with echoing .bashrc files. With this patch applied, the
session starts, but setting up the SSHfs shares fails with locking
up X2Go Client.For people who depend on echoing .bashrc files, please read my last
post on #327.Mike
This actually also applies to Python X2Go.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...