[
https://issues.apache.org/jira/browse/GUACAMOLE-1261?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17262921#comment-17262921
]
Mike Jumper commented on GUACAMOLE-1261:
----------------------------------------
{quote}
... This is because the slash is not properly escaped in the URL, leading to
it's interpretation as part of the path. ...
{quote}
I would say that _that_ is the issue here, then, not inadequate validation.
There shouldn't be any issue with slashes in usernames or group names, nor
should Guacamole assume that a username will never contain such a character.
The URLs included in the UI for the relevant resources should be corrected to
properly escape user/group identifiers.
> Inadequate input validation in user group names causes broken hyperlinks when
> forward slashes are included in user group name.
> ------------------------------------------------------------------------------------------------------------------------------
>
> Key: GUACAMOLE-1261
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1261
> Project: Guacamole
> Issue Type: Bug
> Components: Website
> Affects Versions: 1.2.0
> Reporter: David McDonald
> Priority: Minor
>
> When a forward slash in included in the name of a User Group, the hyperlink
> that is supposed direct the user to the settings page for that User Group is
> broken, redirecting the user to the main page. This is because the slash is
> not properly escaped in the URL, leading to it's interpretation as part of
> the path.
> Once this happens, the only way to delete/update that User Group is through
> deleting/updating its entry in the MySQL/Postgresql database directly.
> This is likely present in other areas of the website, such as users,
> connections, etc. The most probable solution involves improving input
> validation through, for example, disallowing the use of forward slashes in
> names.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
