Github user mike-jumper commented on a diff in the pull request:
https://github.com/apache/guacamole-client/pull/194#discussion_r161638782
--- Diff:
guacamole-ext/src/main/java/org/apache/guacamole/token/PromptEntry.java ---
@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.token;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import org.apache.guacamole.form.Field;
+
+/**
+ * A class that collects all of the information required to
+ * to display a prompt to the user during client connection.
+ */
+public class PromptEntry {
--- End diff --
> As an example, let's say I want to prompt the user for a folder within
their home directory that they want to pass through to a RDP connection - the
text in the connection configuration might be:
>
> /home/${GUAC_USERNAME}/${GUAC_PROMPT}
If a malicious user entered "../../" for that, they would gain access to
the root directory.
> Thus, the user would not be allowed to override everything about that
parameter, just provide some input within a scope that the administrator has
defined.
This may not actually end up being what happens, depending on the semantics
of the parameter.
I'm still unclear as to why `positions` is necessary, or what its values
are intended to be. Can you describe how `positions` would be used in the
examples you provided?
---
