[X2Go-Commits] [x2goclient] 01/01: Don't override PATH for the actual session or application command. Fixes: #1100

git-admin at x2go.org git-admin at x2go.org
Sun Mar 26 18:11:35 CEST 2017


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch bugfix/1100
in repository x2goclient.

commit a7ed6868825c111f8d0fa4a64aa82115b8dab039
Author: Mike DePaulo <mikedep333 at gmail.com>
Date:   Sun Mar 26 12:09:11 2017 -0400

    Don't override PATH for the actual session or application command.  Fixes: #1100
---
 debian/changelog            |  3 ++
 src/onmainwindow.cpp        | 67 ++++++++++++++++++++++++++++-----------------
 src/onmainwindow.h          |  1 +
 src/sshmasterconnection.cpp |  4 +--
 src/sshmasterconnection.h   |  2 +-
 src/sshprocess.cpp          | 15 ++++++++--
 src/sshprocess.h            |  2 +-
 7 files changed, 62 insertions(+), 32 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 42c1e52..8e71aeb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -180,6 +180,9 @@ x2goclient (4.1.0.1-0x2go1) UNRELEASED; urgency=medium
           default because the installation dir is not writeable by
           users)
         + CVE-2017-6542 was fixed
+    - Don't override PATH for the actual session or application
+      command.
+      Fixes: #1100
 
   [ Seth Galitzer ]
   * New upstream version (4.1.0.1):
diff --git a/src/onmainwindow.cpp b/src/onmainwindow.cpp
index 5dd3906..0b15649 100644
--- a/src/onmainwindow.cpp
+++ b/src/onmainwindow.cpp
@@ -6291,7 +6291,7 @@ void ONMainWindow::slotProxyStderr()
             {
                 xmodExecuted=true;
                 QTimer::singleShot (
-                    2000, this,
+                    4000, this,
                     SLOT ( slotExecXmodmap() ) );
             }
         }
@@ -6700,6 +6700,39 @@ void ONMainWindow::slotAppDialog()
 
 void ONMainWindow::runCommand()
 {
+
+    if ( runRemoteCommand )
+    {
+        /* 1st override PATH and determine the base path to x2goruncommand.
+	 * Then in SlotRunCommand, call x2goruncommand without overriding PATH.
+	 * This ensures that the PATH is never overriden with for the actual
+	 * user session.
+	 * Fixes: #1100
+	 */
+        sshConnection->executeCommand ( "x2gobasepath", this,
+                                        SLOT ( SlotRunCommand ( bool,
+                                        QString,
+                                        int )), true);
+    }
+#ifdef Q_WS_HILDON
+    //wait 5 seconds and execute xkbcomp
+    QTimer::singleShot ( 5000, this, SLOT ( slotExecXmodmap() ) );
+#endif
+}
+
+
+void ONMainWindow::runApplication(QString exec)
+{
+    QString cmd = "PULSE_CLIENTCONFIG=\"${HOME}/.x2go/C-"
+                + resumingSession.sessionId+"/.pulse-client.conf\" DISPLAY=:"
+                + resumingSession.display
+                + " setsid " + exec + " 1> /dev/null 2>/dev/null & exit";
+
+    sshConnection->executeCommand (cmd, 0, 0, false);
+}
+
+void ONMainWindow::SlotRunCommand(bool, QString output, int)
+{
     QString passwd=getCurrentPass();
     QString user=getCurrentUname();
     QString host=resumingSession.server;
@@ -6853,7 +6886,8 @@ void ONMainWindow::runCommand()
 
     if ( !startSessSound  || startSessSndSystem==PULSE )
     {
-        cmd=krbFwString+"setsid x2goruncommand "+resumingSession.display+" "+
+        cmd=krbFwString+"setsid " + output + "/bin/x2goruncommand "+
+            resumingSession.display+" "+
             resumingSession.agentPid + " " +
             resumingSession.sessionId+" "+
             resumingSession.sndPort+ " "+ command+" nosnd "+
@@ -6870,7 +6904,7 @@ void ONMainWindow::runCommand()
         switch ( startSessSndSystem )
         {
         case ESD:
-            cmd=krbFwString+"setsid x2goruncommand "+
+            cmd=krbFwString+"setsid " + output + "/bin/x2goruncommand "+
                 resumingSession.display+" "+
                 resumingSession.agentPid + " " +
                 resumingSession.sessionId+" "+
@@ -6879,7 +6913,7 @@ void ONMainWindow::runCommand()
                 sessionType +" 1> /dev/null 2>/dev/null & exit";
             break;
         case ARTS:
-            cmd=krbFwString+"setsid x2goruncommand "+
+            cmd=krbFwString+"setsid " + output + "/bin/x2goruncommand "+
                 resumingSession.display+" "+
                 resumingSession.agentPid + " " +
                 resumingSession.sessionId+" "+
@@ -6891,27 +6925,10 @@ void ONMainWindow::runCommand()
         }
     }
 
-    if ( runRemoteCommand )
-    {
-        sshConnection->executeCommand ( cmd, this,  SLOT ( slotRetRunCommand ( bool,
-                                        QString,
-                                        int ) ));
-    }
-#ifdef Q_WS_HILDON
-    //wait 5 seconds and execute xkbcomp
-    QTimer::singleShot ( 5000, this, SLOT ( slotExecXmodmap() ) );
-#endif
-}
-
-
-void ONMainWindow::runApplication(QString exec)
-{
-    QString cmd = "PULSE_CLIENTCONFIG=\"${HOME}/.x2go/C-"
-                + resumingSession.sessionId+"/.pulse-client.conf\" DISPLAY=:"
-                + resumingSession.display
-                + " setsid " + exec + " 1> /dev/null 2>/dev/null & exit";
-
-    sshConnection->executeCommand (cmd);
+    sshConnection->executeCommand ( cmd, this,
+                                    SLOT ( slotRetRunCommand ( bool,
+                                    QString,
+                                    int )), false);
 }
 
 void ONMainWindow::slotRetRunCommand ( bool result, QString output,
diff --git a/src/onmainwindow.h b/src/onmainwindow.h
index 37b454c..d2e5399 100644
--- a/src/onmainwindow.h
+++ b/src/onmainwindow.h
@@ -1080,6 +1080,7 @@ private slots:
     void slotShowAdvancedStat();
     void slotRestartProxy();
     void slotTestSessionStatus();
+    void SlotRunCommand(bool, QString output, int);
     void slotRetRunCommand ( bool result, QString output,
                              int );
     void slotGetServers ( bool result, QString output,
diff --git a/src/sshmasterconnection.cpp b/src/sshmasterconnection.cpp
index 8e620c2..f2db295 100644
--- a/src/sshmasterconnection.cpp
+++ b/src/sshmasterconnection.cpp
@@ -290,14 +290,14 @@ int SshMasterConnection::copyFile(const QString& src, const QString dst, QObject
     return proc->pid;
 }
 
-int SshMasterConnection::executeCommand(const QString& command, QObject* receiver, const char* slotFinished)
+int SshMasterConnection::executeCommand(const QString& command, QObject* receiver, const char* slotFinished, bool overridePath)
 {
     SshProcess* proc=new SshProcess(this, nextPid++);
     if(receiver && slotFinished)
     {
         connect(proc, SIGNAL(sshFinished(bool,QString,int)), receiver, slotFinished);
     }
-    proc->startNormal(command);
+    proc->startNormal(command, overridePath);
     processes<<proc;
     return proc->pid;
 
diff --git a/src/sshmasterconnection.h b/src/sshmasterconnection.h
index 4cc1f82..13499e6 100644
--- a/src/sshmasterconnection.h
+++ b/src/sshmasterconnection.h
@@ -89,7 +89,7 @@ public:
     void writeKnownHosts(bool);
     void setKeyPhrase(QString);
 
-    int executeCommand(const QString& command, QObject* receiver=0, const char* slotFinished=0);
+    int executeCommand(const QString& command, QObject* receiver=0, const char* slotFinished=0, bool overridePath=true);
     int startTunnel(const QString& forwardHost, uint forwardPort, const QString& localHost,
                     uint localPort, bool reverse=false, QObject* receiver=0, const char* slotTunnelOk=0, const char* slotFinished=0);
     int copyFile(const QString& src, const QString dst, QObject* receiver=0, const char* slotFinished=0);
diff --git a/src/sshprocess.cpp b/src/sshprocess.cpp
index d921806..a5bb5cf 100644
--- a/src/sshprocess.cpp
+++ b/src/sshprocess.cpp
@@ -188,7 +188,7 @@ void SshProcess::rmPuttyReg(QString uuidStr)
 }
 #endif
 
-void SshProcess::startNormal(const QString& cmd)
+void SshProcess::startNormal(const QString& cmd, bool overridePath)
 {
     QUuid uuid = QUuid::createUuid();
     QString uuidStr = uuid.toString().mid(1, 36).toLower();
@@ -198,9 +198,18 @@ void SshProcess::startNormal(const QString& cmd)
 // ONLY UNCOMMENT FOR TESTING, MIGHT REVEAL PASSWORD WHEN command=RDP
     x2goDebug<<"Executing remote command via SshProcess object "<<pid<<": "<<cmd;
 // #endif
+    QString pathString;
+    if (overridePath)
+    {
+        pathString = "export PATH=\"/usr/local/bin:/usr/bin:/bin\";";
+    }
+    else
+    {
+        pathString= "";
+    }
     if(!masterCon->useKerberos())
     {
-        QString shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\"; export PATH=\"/usr/local/bin:/usr/bin:/bin\"; export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'";
+        QString shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\"; " + pathString + "export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'";
         x2goDebug << "this="<<this<<" Running masterCon->addChannelConnection(this, '" << uuidStr << "', '" << shcmd.left (200) << "');";
         masterCon->addChannelConnection(this, uuidStr, shcmd);
         connect(masterCon,SIGNAL(stdOut(SshProcess*,QByteArray)),this,SLOT(slotStdOut(SshProcess*,QByteArray)));
@@ -222,7 +231,7 @@ void SshProcess::startNormal(const QString& cmd)
          * as there is no preceding "outer double quote" the whole argument
          * is wrapped in.
          */
-        shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\"; export PATH=\"/usr/local/bin:/usr/bin:/bin\"; export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'";
+        shcmd = "bash -l -c 'echo \"X2GODATABEGIN:" + uuidStr + "\";" + pathString + "export TERM=\"dumb\"; "+cmd+"; echo \"X2GODATAEND:" + uuidStr + "\";'";
 
         proc=new QProcess(this);
         QString local_cmd = "";
diff --git a/src/sshprocess.h b/src/sshprocess.h
index c9c3733..e8df1ea 100644
--- a/src/sshprocess.h
+++ b/src/sshprocess.h
@@ -36,7 +36,7 @@ private:
     SshProcess(SshMasterConnection* master, int pid);
     ~SshProcess();
 
-    void startNormal(const QString& cmd);
+    void startNormal(const QString& cmd, bool overridePath);
     void startTunnel(const QString& forwardHost, uint forwardPort, const QString& localHost,
                      uint localPort, bool reverse=false);
     void start_cp(QString src, QString dst);

--
Alioth's /srv/git/code.x2go.org/x2goclient.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/x2goclient.git


More information about the x2go-commits mailing list