[X2Go-Dev] Bug#705: client sends password to http broker without percent encoding special characters such as &
Jason Alavaliant
alavaliant at ra09.com
Tue Dec 16 23:45:02 CET 2014
Package: x2goclient
Version: 4.0.3.1
Severity: grave
Tags: patch
I've just setup an x2go load balanced setup using x2gobroker (http
connection - x2goclient --broker-url=http://server:8080/plain/inifile),
after putting it into production we found a number of our users had
their passwords rejected when trying to sign into the x2go client to
access the broker.
Tracing through the traffic/logs we found that the problem is that
password values were being set unencoded to the broker, so for example
if there was an & present in a password the form data was submitted in
the form of
task=listsessions&user=user&password=mypass&word&authid=
which resulted in the data being read by the server as the pasword being
mypass rather than mypass&word
The attached patch in my testing (done on Linux) fixes the client so
data is correctly escaped so the above example would be submitted as
task=listsessions&user=user&password=mypass%26word&authid=
which is correctly parsed as the password being mypass&word
and allows the login to work.
If we could get an indication of when this fix is likely to make a
client release it would appreciated since we currently don't have
Windows and OSX builds with the patch and are trying to workout if it's
worth the time of setting up development workstations to be able to
compile the client for those platforms vs just waiting for the next
client release.
Thanks for your time.
Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x2go-client-broker-httpauth-encoding-fix.patch
Type: text/x-diff
Size: 2039 bytes
Desc: not available
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20141217/a8e8dfd6/attachment.patch>
More information about the x2go-dev
mailing list